[squid-users] blocking certain file types by content
Markus
markus.bytom.pl at gmail.com
Sun Dec 13 12:31:39 UTC 2015
I'm wondering if it is possible to detect (and block) certain files by
its header/content like 'MZ' (0d 0a 0d 0a 4d 5a) which is a beginning
of any EXE/DLL file.
Purpose:
I'm trying to protect my internal network against unconsciously
downloading executable files (like malware). All users traffic pass
through our Squid proxy.
What I've already done is:
1. Blocking by URL (url contains \.exe \.dll and other banned extensions)
2. Blocking by server's response header (MIME-type ,
Content-Disposition and so on.)
But there is still a way to download an executable file when somebody
put it on server as e.g. readme.txt. Server's response header would be
in this case 'Content-Type: text/html;'.
So none of above mentioned rules would block this file. Of course, a
regular Web browser would show this EXE as text, which isn't
dangerous. But we can imagine a dedicated downloader (e.g. a part of
the malware) which can download binary code this way.
So, tell me guys, if there is any solution for this?
I could also use "Snort", but it would be very inflexible (I would
like to have a whitelist of domains).
even if it's possible, what about performance in real environment?
maybe there's a way to analyze only the first bytes of the incoming
stream?
greetings
Markus
PS
----
if the string 'MZ' is too short, we can also use 'This program cannot
be run in DOS mode' (this string is also part of EXE header). But
probably a majority of exe packers can compress it.
More information about the squid-users
mailing list