cancel
Showing results for 
Search instead for 
Did you mean: 
brinkn
Level 9

MWG 6.9 Blocking URL pattern

Hello!

     I have a question regarding MWG6.9.x and blocking malicious sites with a specific url pattern.  For the past few months we have been bombarded with malware comming from sites similiar to the below list.  All of the URL's have the regex format of "main.php\?(info|label)(=\S{22}==)".  I would love to be able to block access to these url's with the gateway, however my undertanding is that I can only filter on the domain name upto the '?' paramaters.

http://domain.com/main.php?info=DaZIp3++bJAoOBSEwsDxiQ==

http://domain1.nl/main.php?label=W67kDPWIx5EJsfs84iKttw==

http://domain2.co.nz/joomla/main.php?info=A7JnC8ZuUfYHNcA81ZpAog==

http://domain3.com/main.php?label=bDQ4THtidNfsgl3mnqVHTA==

http://domain4.de/main.php?label=+LMgVo1Ti8yVOCq+EWgOnQ==

http://domain5.com/main.php?label=FkPnJruDcU83e+7QAn482w==

http://domain6.com/main.php?label=0UU7Di3TZ9ikuazg+KGpNA==

http://domain7.com/main.php?info=LNGKl3coIhYNGlLv03E1tw== 

http://domain8.com/main.php?info=+W8F446GdsRsLmWIbzKApg==

http://domain9.com/main.php?label=MzWLdKRcXhxxWkn/KntcgQ==

http://domain0.be/main.php?info=4cTNspAgwgVvGHtEXkE+rA==

Anyone have any ideas on how to approach this?  Im sure I could do with with MWG7, however that is not an option for a few months.

0 Kudos
1 Reply
asabban
Level 17

Re: MWG 6.9 Blocking URL pattern

Hello,

you are right. However you can try using the HTTP Method Filter List:

2013-08-02 10_26_28-MWG6-140_ McAfee Web Gateway 6.9.6 build 15512.png

MWG 6 does not understand regular expressions. A string like this should offer some protection:

main.php?(info|label)=*==

Best,

Andre

0 Kudos