Ok so I was talking with a consultant today who was visiting my place of employment and he was telling me about all of the troubles that he was having with fake AV software infecting clients. I remembered way back when, I was trying to figure out how to enforce policy with technical controls i.e. "you are not allowed to download anything off of the internet that is not approved" and came up with this transparent squid config to do so. It is not perfect, but it attempts stop exe downloads in http based on the following characteristics.
1. File extension
2. File extension inside of content-disposition header
3. mime-type that is sent back in the reply from the server (can be spoofed)
Maybe a fun project to work on would be a mime-sniffer similar to what IE does for squid using libmagic. Or maybe hack-up what is already in c-icap as it does mime-sniffing to determine what to send to it's AV scanner. I have also hacked up frox to forward requests to squid for ftp downloads and drop the download when we get a denied message from squid. This code needs to be cleaned up and tested more before it is published. Something else interesting to keep an eye on is the SSLBump feature set that is being worked on in squid HEAD. Will we someday get transparent SSL MITM in Squid to filter out unwanted downloads similar to what vendors like blue-coat offer?
Anyway let's look at how to do this... The first thing we are going to do is create a custom error page that will be displayed to users if a download is denied for some reason. Yeah I created it in Open Office it's late and I'm feeling lazy ;-)... If you wish to use the one I created you can pull it from here. In this example you will need to copy this file to your squid error directory in my case the file would end up being
/usr/share/squid/errors/English/ERR_BLOCKEXE
below is the squid.conf file which you can pull from the emerging threats site as well. It is pretty self explanatory note that the deny_info page is the one that is displayed to users when the download something naughty in this case the ERR_BLOCKEXE file we created. In addition I have found it helpful to generate a simple daily report with a cron job of the blocked downloads.
grep `date +%d/%b/%Y` /var/log/squid/access_log | grep "TCP_DENIED" | grep " 403 " | /bin/mail -s 'daily squid block report' someguy@somesite.com
http_port 3128 transparent
visible_hostname tproxy
#list of trusted domains that we will allow downloads from
acl noscan dstdomain .emergingthreats.net .blackberry.com .macromedia.com .apple.com .windowsupdate.com .hp.com .xerox.com .sw.be .centos.org .microsoft.com .adobe.com .sun.com .nai.com .symantecliveupdate.com .mcafee.com .symantec.com .vmware.com .trendmicro.com
no_cache deny noscan
always_direct allow noscan
#cache junk
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 512 MB
cache_dir ufs /var/spool/squid 2000 16 256
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl manager proto cache_object
#various acl's
acl alldst dst 0.0.0.0/0.0.0.0
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1
acl our_networks src 192.168.2.0/255.255.255.0
acl our_networks src 192.168.1.0/255.255.255.0
#remove accept encoding to prevent gzip stuff along with range requests
header_access Accept-Ranges deny alldst
header_access Accept-Encoding deny alldst
header_replace Accept-Encoding identity
header_replace Accept-Ranges none
#use OpenDNS servers can block adware pr0n etc..
#If you are using a dynamic IP ddclient works very well for
#keeping your account up2date with the latest IP
dns_nameservers 208.67.222.222 208.67.220.220
#techmachines acl
#acl techmachines src 192.168.2.199
#acl techmachines src 192.168.2.200
#we are only redirecting port 80 so only allow port 80 traffic.
acl Safe_ports port 80 # http
http_access deny !Safe_ports
http_access allow manager localhost
http_access deny manager
acl DENY_EXE urlpath_regex -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??$
#domains we always want to block
acl denydomains dstdomain .ssl86.ru .ytgw123.cn .gmail-security.com perlbody.t35.com summertime.1gokurimu.com doradora.atzend.com
http_access deny denydomains
#dst ips we always want to block
acl dstips dst 195.242.161.63 59.106.145.58
http_access deny dstips
#allow trusted domains
http_access allow noscan
http_reply_access allow noscan
#allow your techs or whomever to pull exe's
#http_access allow techmachines
#http_reply_access allow techmachines
#block sites with exe in the uri
deny_info ERR_BLOCKEXE DENY_EXE
http_access deny DENY_EXE
#allow localhost and everything else
http_access allow localhost
http_access allow our_networks
#block exe downloads were the uri does not end exe but they are still sending an exe via conent-dispostion headers
#http://www.ietf.org/rfc/rfc2183.txt
acl blocked_contdisp rep_header Content-Disposition -i \.(exe|msi|scr|cab|chm|cpl|hlp|hta|ins|isp|jse|lnk|ocx|reg|sct|vbe|wsc|wsf|pif|sys|shs|zip|rar|tar|7z|torrent)\??"$
deny_info ERR_BLOCKEXE contdisp
http_reply_access deny blocked_contdisp
#block exe mime types
acl mime rep_mime_type -i ^application/exe$
acl mime rep_mime_type -i ^application/x-exe$
acl mime rep_mime_type -i ^application/dos-exe$
acl mime rep_mime_type -i ^vms/exe$
acl mime rep_mime_type -i ^application/x-winexe$
acl mime rep_mime_type -i ^application/msdos-windows$
acl mime rep_mime_type -i ^application/x-msdos-program$
acl mime rep_mime_type -i ^application/x-msdownload$
acl mime rep_mime_type -i ^application/x-cab-compressed$
acl mime rep_mime_type -i ^application/x-oleobject$
acl mime rep_mime_type -i ^application/x-cabinet$
acl mime rep_mime_type -i ^application/x-dosexec$
acl mime rep_mime_type -i ^vnd.ms-cab-compressed$
acl mime rep_mime_type -i ^application/x-cabinet-win32-x86$
acl mime rep_mime_type -i ^application/x-pe-win32-x86$
acl mime rep_mime_type -i ^application/x-setupscript$
deny_info ERR_BLOCKEXE mime
http_reply_access deny mime
#allow all other reply
http_reply_access allow all
#get some extra logging info
strip_query_terms off
log_mime_hdrs on
#custom log format for more information
logformat combined %>a %ui %un [%{%d/%b/%Y:%H:%M:%S -0600}tl] "%rm %ru HTTP/%rv" %Hs %h" "%{User-Agent}>h" %Ss:%Sh %mt
access_log /var/log/squid/access_log combined
error_directory /usr/share/squid/errors/English
coredump_dir /var/spool/squid
#disabled for performance
cache_store_log none
cache_log none
0 comments:
Post a Comment