[squid-users] File extension blocking rules

From: Luís Fernando C. Talora <talora-listas@dont-contact.us>
Date: Thu, 18 May 2006 09:37:00 -0300

Fellows,
 
To protect dummy users against themselves, I´ve put a few rules on my
Squid server to prevent them on downloading some potentially dangerous
files by its extensions, such as .exe, .zip, .bat, .scr, and so on. Part
of the "regex" files for those rules follow:

    \.com$
    \.scr$
    \.bat$
    \.pif$
    (...)

However, an user recieved a mail message with a link to some "virtual
card" (witch was, indeed, some kind of trojan) and I´ve noticed that
Squid allowed the user to download the file. The link follows:

    
http://www.mikes.educv.ro/albums/cartao.scr?4d325356ae47122a6e7b8f1f07cae26d

It is quite impressive how the bad guys create ways to bypass the
proxy... If the URL do not end with the ".xxx", the rule is easily
bypassed. So I´ve tried the following:

    \.scr[\?\&]?.*

It worked, but too many pages were blocked by mistake. Then I´ve thought
on this:

    \.scr$
    \.scr[\?\&]

It probably works, but I didn´t try it, but I doesn´t seem to be the
best way to do it (I would need to create to lines for each blocked
extension). My question is: is there an easier way to do that? I mean, a
single rule that work in both cases (the file extension followed by the
"?" - ou the "&" - in the meedle of the URL or in the end of URL).

Thanks a lot!

LUIS FERNANDO C. TALORA
Received on Thu May 18 2006 - 06:37:19 MDT

This archive was generated by hypermail pre-2.1.9 : Thu Jun 01 2006 - 12:00:02 MDT