cancel
Showing results for 
Search instead for 
Did you mean: 
stifi
Level 7

Changes in regular expression in mwg 7.5.1?

Jump to solution

Dear all

We recently upgraded from 7.3.0.2 to 7.5.1. We discovered now an issue regarding regular expression. Please mind that Facebook is blocked in our company (not by category but by an explixit url regular expression). Nevertheless we want to allow some specific facebook links to make all these like buttons appear on news sites as an example.

Here is an example of such a link:

https://www.facebook.com/connect/ping?client_id=72616527888&domain=www.20min.ch&origin=1&redirect_ur...

From my experience I would create a url whitelist with the pattern https://www.facebook.com/connect/ping?*. However for some reason this pattern does not match even the test option matches.

This is a short printscreen from my ruleset:

mwg-printscreen.png

I'm pretty sure that this used to work in previous releases, at least in 7.3.0.2. However it does not work for me in 7.5.1.

Did some reasearch on the community ressources and furthermore in the whole internet, checked also the documentation. Did not find any hint what might kidding me. Am pretty sure that the solution is close in front of my nose however I'm unable to recognize it ...

Best, Stefan

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Changes in regular expression in mwg 7.5.1?

Jump to solution

Hi Stefan!

I would wonder what a rule trace would show you. I don't think this is related to regex changing as you arent using any

I believe this issue is likely related to the fact that this is an HTTPS URL and the MWG is blocking the request *before* we know the real URL.

Think of SSL/TLS as happening in 2 steps:

1. Client requests to CONNECT to www.facebook.com to create tunnel

2. Client has SSL/TLS tunnel established to www.facebook.com, and requests https://www.facebook.com/blahblahblah

I think that MWG is likley blocking the client when it sees #1.

For more information see the following best practice:

Best Regards,

Jon

0 Kudos
2 Replies
McAfee Employee

Re: Changes in regular expression in mwg 7.5.1?

Jump to solution

Hi Stefan!

I would wonder what a rule trace would show you. I don't think this is related to regex changing as you arent using any

I believe this issue is likely related to the fact that this is an HTTPS URL and the MWG is blocking the request *before* we know the real URL.

Think of SSL/TLS as happening in 2 steps:

1. Client requests to CONNECT to www.facebook.com to create tunnel

2. Client has SSL/TLS tunnel established to www.facebook.com, and requests https://www.facebook.com/blahblahblah

I think that MWG is likley blocking the client when it sees #1.

For more information see the following best practice:

Best Regards,

Jon

0 Kudos
stifi
Level 7

Re: Changes in regular expression in mwg 7.5.1?

Jump to solution

Hi Jon

100% match. I was not aware about that detail and I guess facebook used to use just plain http in the past while these guys decided to move to https in the recent past.

The best practice document is just great, should be part of the product documentation!

Br, Stefan

0 Kudos