Watchguard Fireware Tips & Tricks: Body Content Type rules

Friday, February 03, 2006

Body Content Type rules

I have a nice virus collection on my test computer, looking at the headers of all those little critters I found out that the default "Windows EXE/DLL" "Body Content Type" rule is far from sufficient for blocking executable content. I think it was build to block ActiveX (in combination with the "Windows CAB archive" rule) and it does a reasonable good job at that.
If you want to go further and also like to block other executable content, you may want to consider the following rules. TEST these rules before setting them to deny in a production environment. I have had no false positives from these rules yet. But your organization may have specific needs.
The best way to test is to set the rules action to allow and enable alarm and log

All the rules are Pattern matches:

EXE - Windows NE format:
%0x4d5a50000200000004000f00ffff0000%*

EXE - FSG packed:
%0x4d5a000000000000000000005045%*

EXE - NSpacked:
%0x4d5a40000100000002000000ffff0000%*

EXE - Upacked
%0x4d5a4b45524e454c33322e444c4c%*

EXE - undefined packer:
%0x4d5a80000100000004001000ffff0000%*

CHM (Compiled Help File) (MS04-025) (Also add *.chm to "URL paths")
%0x495453460300000060%*

WMF - 1: (MS06-001) (Also add *.wmf to "URL paths")
%0x01000900%*

WMF - 2:
%0x02000900%*

I also have a rule:

EXE - generic
%0x4d5a%*

For me this also did not trigger any false positives, but it maybe far to rigours for you.

Not related to fighting viruses but also nice are:

7-Zip archive:
%0x377abcaf271c%*

RAR archive (Also add *.rar to "URL paths"):
%0x526172211A%*

ZIP archive multivolume:
%0x504b0708%*

InstallShield file:
%0x49536328%*

BitTorrent Link:
%0x64383A616E6E6F756E6365%*

MP3 (Only blocks MP3's with a ID3v2 tag) (Also add *.mp3 to "URL paths")
%0x4944330300000000%*

OGG (Also add *.ogg to "URL paths")
%0x4F676753%*

19 Comments:

Anonymous said...: where should these patterns be added? HTTP-Proxy, what tab? i am having a blond moment...; 6:30 PM
Placebo said...: Open the fireware policy manager. Goto --> Setup --> Actions --> Proxy Actions... --> Select the proxy you want the rule to apply to and click edit. Now select 'Body Content Types' under 'HTTP responds' --> click 'Change View' and then click 'Add..' to add a new rule.; 1:26 PM
Anonymous said...: HELP!!!... I'm a 3D artist, and I just put up a website to show my work... Everything is going fine except for the Animation downloads... When they get clicked, the following message appears... "Response denied by WatchGuard HTTP proxy.
Reason: body content-type denied rule='ZIP archive'
Method: GET
Host: www.philhook.com
Path: .../*.zip"... How do I get around this? These downloads need to be accessable!; 6:14 AM
Placebo said...: Hi Phil, You seam to have a Watchguard firewall in front of your webserver. Only the watchguard uses a HTTP-Client proxy to protect your webserver, you should use a HTTP-Server proxy.; 10:09 AM
Anonymous said...: Hello,

I am experiencing something really weird with a Firebox X1000. I have an apache/php server setup on a Linux machine behind the firebox serving requests externally thru NAT. I use a standard http-proxy server rule for the incoming http requests without any additional modification.

When I run a lot of php pages, including standard phpinfo(), instead of getting the correct page, I get a page that starts with
2010
!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd"
html
head
style type="text/css"
...

Basically it throws in the additional "2010" or some characters before the actual web page, so my web browser gets junk instead of the actual page.

I checked the log and noticed that the number 2010 comes from some "chunk-size" info on the firebox:

Here is a snippet of the http-proxy log from the firebox:

5-31 11:24:26 Allow x.y.z.w x1.y1.z1.w1 http/tcp 2314 80 0-External 2-Optional-1 ProxyAllow: HTTP Header content type match (HTTP-proxy-00) dst_ip_nat="10.x.y.z" dst_port_nat="80" proxy_act="HTTP-Server.1" rule_name="Default" content_type="text/html; charset=UTF-8"
05-31 11:24:26 cfm[5537] [http] checking header='Date: Wed, 31 May 2006 15:17:11 GMT\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='Date: Wed, 31 May 2006 15:17:11 GMT'
05-31 11:24:26 cfm[5537] [http] header matched rule name='Default' pattern='(null)' action=[0]
05-31 11:24:26 cfm[5537] [http] checking header='Server: Apache/2.0.52 (CentOS)\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='Server: Apache/2.0.52 (CentOS)'
05-31 11:24:26 cfm[5537] [http] checking header='X-Powered-By: PHP/5.0.4\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='X-Powered-By: PHP/5.0.4'
05-31 11:24:26 cfm[5537] [http] checking header='Connection: close\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='Connection: close'
05-31 11:24:26 cfm[5537] [http] checking header='Transfer-Encoding: chunked\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='Transfer-Encoding: chunked'
05-31 11:24:26 cfm[5537] [http] checking header='Content-Type: text/html; charset=UTF-8\x0d\x0a'
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:4630] trace: normalized header-line='Content-Type: text/html; charset=UTF-8'
05-31 11:24:26 cfm[5537] [http src=wghttp_do_ips_check:1050] trace: IPS not enabled
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:5202] trace: desc={ url='/tracoms_clerk/cpt/info.php' ctype_mimetype='text/html' }
05-31 11:24:26 cfm[5537] [http src=handle_data_headers_check_cb:5207] trace: ctid=[0x180060]
05-31 11:24:26 cfm[5537] [http] header matched rule name='Default' pattern='(null)' action=[0] 5
05-31 11:24:26 cfm[5537] [http] expecting chunked body
05-31 11:24:26 cfm[5537] [http] expecting next chunk-size line timeout=[600]secs
05-31 11:24:26 cfm[5537] [http] chunk-size line='2010\x0d\x0a'
05-31 11:24:26 cfm[5537] [http] bytecount=[200] increment=[6]
05-31 11:24:26 cfm[5537] [http] set bytecount=[206]
05-31 11:24:26 cfm[5537] [http] chunk-size=[8208]bytes
05-31 11:24:26 cfm[5537] [http] relaying chunk-data size=[8208]bytes then=[0]bytes timeout=[600]secs
05-31 11:24:26 cfm[5537] [http] bytecount=[206] increment=[2514]
05-31 11:24:26 cfm[5537] [http] set bytecount=[2720]

My configuration is
Linux CentOS 4.3
Kernel 2.6.9-34.106
Apache 2.0.52
PHP 5.0.4

Note that the problem occurs with PHP 4.3.x that ships with CentOS 4.3 as well

I will greatly appreciate any help and will gladly provide more info if requested.

Thanks,

axm26.; 5:48 PM
Placebo said...: please see this topic on the watchguard support forum:

https://www.watchguard.com/forum/default.asp?action=9&read=545&fid=31&BoardID=2#8065; 12:44 PM
Anonymous said...: Placebo:

Thanks for the tip, I posted there and found out that the problem has been fixed in Fireware 8.3. I was able to receive a Beta version from Watchguard that fixed my problem.; 5:35 PM
Anonymous said...: Any chance you know of a tool where you can give it 4 or 5 files and it can extract a usable pattern for use with the Body Content Filtering? i.e. Browse to a set of Mp3 files and it will output: Use this string to block these files: !@AWDFFLK@#

This type of utility would be helpful in figuring out the patterns to use for other various types like .com files or .jsp etc...; 5:58 PM
Placebo said...: On http://mark0.net/soft-trid.html you can find:

http://mark0.net/download/triddefs_xml.rar

In that rar file are 'body content type descriptions' for 2000+ file types. You still have to make you own pattern out of it but it has been of great help to me.; 6:19 PM
Anonymous said...: Some of you may find the following URL useful as well. The regular expressions given are pretty useful, as well as the denied extensions list.

I've been running these rules in my Fireware HTTP proxy for quite some time and with very few false positives.

--WGT; 6:11 AM
Anonymous said...: And now for the URL this time.. =)

http://www.ncl.ac.uk/iss/email/mailscanrules.html

--WGT; 6:15 AM
Unknown said...: Hi I am having issues downloading a .docx file. My firebox is giving the following error:

Reason: body content-type denied rule='ZIP archive'; 8:26 PM
Anonymous said...: Hi,

Where can we get additional information about these patterns?please let me know.

Thanks
Akram; 3:51 PM
Anonymous said...: Hi,

Will these signatures block EXE inside a ZIP file.; 11:40 AM
Unknown said...: when i want to open youtube, it is showing the following .how to solve it

Request denied by IM WatchGuard HTTP proxy.

Reason: one or more categories denied helper='STUDENTS.2' details='Streaming Media'
Method: GET
Host: www.youtube.com
Path: /; 4:43 PM
Unknown said...: Request denied by IM WatchGuard HTTP proxy.
Reason: one or more categories denied helper='STUDENTS' details='Streaming Media'
Method: GET
Host: www.youtube.com
Path: /

WHAT SHOULD I DO NOW? TO OPEN THIS; 11:39 AM
Insomnic said...: i cant download anything with this "Response denied by WatchGuard HTTP proxy." in the way. what to do -_- i have windows, and using google chrome.; 1:14 AM
Ken North said...: can someone help how to get around
with this msg

esponse denied by WatchGuard HTTP proxy.

Reason: all proposed authentication schemes denied
Method: GET
Host: link.jumpdemand.com
Path: /s/x6iqC "; 1:25 AM
Anonymous said...: Hello , please help me solving this problem : I can't open games. When i click the URL , this thing came out : Request denied by WatchGuard HTTP Proxy.

Reason: Category 'Games' denied by WebBlocker policy 'WebBlocker-PUBLIC'.

Please contact your administrator for assistance.

More Details:

Method: GET

Host: habbo.com

Path:/; 6:45 AM

Watchguard Fireware Tips & Tricks

Friday, February 03, 2006

Body Content Type rules

19 Comments:

Previous Posts