Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1059 Views 4 Replies Latest reply: Dec 6, 2012 8:47 PM by cscoup8 RSS
cscoup8 Newcomer 34 posts since
Nov 13, 2012
Currently Being Moderated

Nov 13, 2012 8:56 PM

Block referer in mwg7

In Web Gateway 6.x there is an option to block the referer that is normally sent in the HTTP request (Common > Privacy Filters > Referer Filter)

 

How would one do the same in mwg7?  Specifically I would like to remove the referer if the domain is different.  Yes I am aware that this can cause problems for certain web sites that deny traffic unless the correct referer is sent (crappy form of access control in my opinion).  But from what I've seen removing the referer also blocks malware on certain sites that only gets delivered to you if the referer field is a search engine (google, bing, yahoo) or a redirector as opposed to a direct request to the malicious URL.

  • asabban McAfee SME 1,351 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Nov 14, 2012 1:39 AM (in response to cscoup8)
    Re: Block referer in mwg7

    Hello,

     

    to remove the referer header you can use the Header.RemoveAll  event and tell it to remove all headers with the name "referer".

     

    To specify when to remove the header you have to find the appropriate criteria, depending on what you would like to do. You could compare the value of the URL accessed and the value in the referer header. I did this a while ago by checking whether the content of the referer header (stored in the property Header.Request.Get('Referer')) with the value of the URL that was currently accessed, which is stored in URL.Host. I remember this was working as it did in 6.x, but I think I don't have the rule set anymore.

     

    Maybe you can have a look it you can get it setup as you desire.

     

    Best,

    Andre

  • asabban McAfee SME 1,351 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Nov 26, 2012 9:02 AM (in response to cscoup8)
    Re: Block referer in mwg7

    Hello,

     

    yes it is not as simple as it sounds :-) You actually want to match a string against a wildcard expression, which are two different data types in MWG. You have "URL.Host" which is a string. You want to use "match" (not equals, because that won't ever match). To use match you have to pick a wildcard expression on the operator side. This does not work out of the box.

     

    Additionally the Referer filter in MWG6 was domain wide, not host wide. You may want to keep the referer filter if you are forwarded from www.google.com to search.google.com.

     

    I have added a rule set which could help, I have not really tested it.

     

    In the first rule it takes the URL.Host property, extracts the URL via Regex and adds the result from this to a string which has an asterisk on its start and end. So I have:

     

    www.google.de (URL.Host)

     

    and I want:

     

    *google.de*

     

    To do this I had to use a user-defined property.

     

    In the second step I use the value of the referer header and check if it matches my wildcard (you will see that I use String.ToWildcard to convert my plain string into something I can use as a wildcard operator).

     

    So I say:

     

    http://www.google.de/search?q=andre&anotherparm=funny does not match *google.de*

     

    then remove headers.

     

    It should basically work. Maybe you want to have a look and check if it makes some sense.

     

    Best,

    Andre

     

    Nachricht geändert durch asabban on 26.11.12 16:02:11 MEZ

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points