• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion on HTTP filtering the Fake Google Spam

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Discussion on HTTP filtering the Fake Google Spam Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 4:33:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the filtering the fake google spam article at http://isaserver.org/articles/2004fakegoogle.html.

Thanks!
Tom

[ August 26, 2004, 04:51 AM: Message edited by: tshinder ]
Post #: 1
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 10:19:00 AM   
andrew.toon

 

Posts: 26
Joined: 22.Jul.2004
Status: offline
Hi Tom,

There appears to be an issue with using the "Response Body" search criteria when using HTTP filtering.

I've noticed that if you've got any "Response Body" filters set then some downloads may not work because it can't scan the response content. It denies the connection attempt and shows the error "Blocked by the HTTP security filter: the response content is encoded and cannot be scanned". As a test try to access the URL below with a "Response Body" signature filter set.

http://download.smoothwall.org/archive/updates/2.0/2.0-fixes4.tar.gz

Andrew

(in reply to tshinder)
Post #: 2
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 2:43:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andrew,

Very odd, since I can download other compressed files. You know the reason for this?

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 3:25:00 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
Hi Andrew,

Can you send:
1 - your log entries showing which rule fired on that request?
2 - your ISAInfo (http://isatools.org/isainfo/isainfo.zip)?

I just tried it and I got the download just fine..

(in reply to tshinder)
Post #: 4
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 3:32:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Jim,

Here's the pertinent line for me:

Original Client IP Client Username Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Network Destination Network Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Source Port Processing Time Bytes Sent Bytes Received Result Code Cache Information Error Information Log Record Type Log Time Client IP Destination IP Destination Port Protocol Action Rule URL Client Agent HTTP Method HTTP Status Code Raw Payload

0.0.0.0 anonymous No Proxy CELESTIX-H5L4CS download.smoothwall.org TCP application/x-tar Internet Internal External - - - Blocked by the HTTP security filter: the response content is encoded and cannot be scanned - - 0 401 4349 388 0x800000 0x480 Web Proxy Filter 8/26/2004 8:33:20 AM 192.168.1.8 69.10.132.180 80 http Denied Connection All Open http://download.smoothwall.org/archive/updates/2.0/2.0-fixes4.tar.gz Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461; .NET CLR 1.1.4322) GET 12217 The request was rejected by the HTTP filter. Contact your ISA Server administrator. -

The name of the rule is "All Open" and you guessed it, its like the default ISA 2000 Protocol Rule [Big Grin]

[ August 26, 2004, 03:34 PM: Message edited by: tshinder ]

(in reply to tshinder)
Post #: 5
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 3:36:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Jim Harrison:
Hi Andrew,

Can you send:
1 - your log entries showing which rule fired on that request?
2 - your ISAInfo (http://isatools.org/isainfo/isainfo.zip)?

I just tried it and I got the download just fine..

Hey Jim,

Are you using the Web Proxy client configuration?

Thanks!
Tom

(in reply to tshinder)
Post #: 6
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 7:48:00 PM   
andrew.toon

 

Posts: 26
Joined: 22.Jul.2004
Status: offline
Tom, that's exactly what I get I'm not sure why it doesn't work.

Andrew

(in reply to tshinder)
Post #: 7
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 8:04:00 PM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
..but of course.
I still have my HTTP Redirector [Wink] HTTP Filter enabled, so it doesn't matter how you come to my ISA; you get HTTP Filtered...

(in reply to tshinder)
Post #: 8
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 8:06:00 PM   
andrew.toon

 

Posts: 26
Joined: 22.Jul.2004
Status: offline
Here's the output from the log for the connection. The rule only for HTTP Protocol from "Internal" to "Anywhere" Users "All Users".

Log Time
26/08/2004 09:09

Destination IP
69.10.132.180

Destination Port
80

Protocol
http

Action
Denied Connection

Rule
Web Access Only

Client IP
132.147.160.219

Client Username
anonymous

Source Network
Internal

Destination Network
External

HTTP Method
GET

URL
http://download.smoothwall.org/archive/updates/2.0/2.0-fixes4.tar.gz

Original Client IP
0.0.0.0

Client Agent
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705)

Authenticated Client

Service
Proxy

Server Name
PLC-FWALL

Referring Server
-

Destination Host Name
download.smoothwall.org

Transport
TCP

MIME Type
-

Object Source
Internet

Source Proxy

Destination Proxy

Bidirectional

Client Host Name

Filter Information
Blocked by the HTTP security filter: the response content is encoded and cannot be scanned

Network Interface

Raw IP Header

Source Port
0

Processing Time
3625

Bytes Sent
4352

Bytes Received
397

Result Code

HTTP Status Code
12217

Cache Information
0x804040

Error Information
0x480

Log Record Type
Web Proxy Filter

(in reply to tshinder)
Post #: 9
RE: Discussion on HTTP filtering the Fake Google Spam - 26.Aug.2004 9:17:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Jim Harrison:
..but of course.
I still have my HTTP Redirector [Wink] HTTP Filter enabled, so it doesn't matter how you come to my ISA; you get HTTP Filtered...

Dude,

Maybe that's the problem. This is 2004 and there isn't a redirector in it.

Are you using 2000?

Thanks!
Tom

(in reply to tshinder)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> HTTP Filtering >> Discussion on HTTP filtering the Fake Google Spam Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts