Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
emiliano_mastro
Contributor
Jump to solution

best way to block new zip domain

hi guys,
I have read about a new phishing technique called "file archiver in the browser" can be leveraged to "emulate" a file archiver software in a web browser when a victim visits a .ZIP domain, so I would like block any sites of the .zip domain on my R81.10 firewall.

What is the best way to do that without taking a lot of resources of the firewall?

I was thinking using "custom application site" without regex *.zip

On my firewall I have all capabilities enabled (url filtering, and application control, https inspection).


thanks a lot

1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority

Put a slash after it, as I described in the most recent post in the thread I linked.

*.zip/

View solution in original post

(1)
13 Replies
PSushko
Contributor

Personally, I was hoping I could do it with a simple *.zip in a custom application, but that ended up matching regular zip file downloads, and even googling of the string ".zip". I then tried with a much more complex regex: /^(?:(?!-)[A-Za-z0-9-]{1,63}(?<!-)\.)+(zip|mov)$/ (without the /, simply used those to delimit the regex in this comment).

cp_regex.png

But policy fails to push with this regex. It might be too complex for CheckPoint. I have a ticket open, I'll keep you updated on the results.

the_rock
Legend
Legend

Thats exactly how I blocked it in my R81.20 lab with https inspection enabled and once tested, it was indeed blocked fine. Not sure if there is more 'official" way of doing it though : - )

Andy

0 Kudos
PSushko
Contributor

On R80.40 setting up a custom application/site with "*.zip" non-regex expression with HTTPS inspection enabled hits on every request that has .zip in it (i.e.: test.zip {good}, test.com/test.zip {bad}, test.com/test?q=test.zip {bad}).

0 Kudos
the_rock
Legend
Legend

I believe ya, as I only tested on R81.20, so its most likely different.

Andy

emiliano_mastro
Contributor

Hi,

I have just tried,  on R81.10,  an Application/Site rule  *.zip (no regex), but unfortunately it doesn't work well because it blocks even zip files

 

 

0 Kudos
the_rock
Legend
Legend

I will try later today with R81.10, but logically, unless you have content awareness blade enabled to block.zip extension, app control/urlf should not block it.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

Put a slash after it, as I described in the most recent post in the thread I linked.

*.zip/
(1)
PSushko
Contributor

This works for me!

0 Kudos
emiliano_mastro
Contributor

Yessss, adding the slash (*.zip/)  it works well !!!

 

thanks a lot

(1)
the_rock
Legend
Legend

I tested it exactly way you described and was fine, even in R81.10. But. as @Bob_Zimmerman advised, if it works with /, then use that.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority

I recently explored the Custom Application/Site expression matching pretty extensively and arrived at this set of expressions. Later in the thread (currently the bottom-most post), I also described my findings after enabling HTTPS Inspection.

0 Kudos
Yuber_Sierra_av
Participant

I found the following regex in another topic, and worked for me:

Just replace TLD with a domain you want to match.

^[^:\/]+:\/?\/?[^\/]+\.TLD\/

Regex for TLD Blocks - Check Point CheckMates

0 Kudos
Bob_Zimmerman
Authority
Authority

That's a lot messier than it needs to be. Almost none of the backslashes are needed. It also matches exactly one subdomain. www.somesite.tld would not be matched. Here's a better version, which is basically what I wrote in the linked post:

^[^:]+?://([^/]+?\.)+TLD/

It matches the scheme non-greedily, which will be faster in almost all cases. It removes the optionality for the slashes in the :// separator between the scheme and the domain, since they are always present in the input space. Finally, it requires one subdomain but matches any number.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events