Symantec™ Security Gateways Reference Guide - Sawmill

74 Controlling service accessContent filteringNow, with these two entries, the URLs containing three uppercase Xs or three lowercase Xs were blocked,but nothing else. What if the URL has mixed case? A more elegant solution to solve all three cases is to usecharacter set variables. To combine and look for three uppercase Xs, three lowercase Xs or any combinationof three consecutive uppercase and lowercase Xs, use[Xx][Xx][Xx]As shown in Table 5-1, the [ and ] characters denote a range of characters that should be matched. Becauseyou are looking specifically for three consecutive letters, you need to set up three sets of brackets.Note: One common mistake is to use the * character as a global wild card character thinking that it solvesmultiple cases. For example, the expression[Xx]*achieves the same results in blocking access to the desired sites previously mentioned; however, it alsoblocks access to every other site. The * says zero or more occurrences, so, regardless of whether or not theURL has the letter x in it, it is blocked.The strength of URL pattern matching is immediately apparent. Instead of having to list exactly the URLsyou want to allow, you can define patterns to deny any URLs that contain specific words or phrases. This isfurther extended to recognition of buffer overflow attacks.For example, examine the URL http://www.website.com/index.htm/?%2%c0x5at. The last part of the URLappears to be gibberish, but is actually an attack and an attempt to overrun the Web server, or cause it tobehave in a way it normally wouldn’t. Through the use of pattern matching, once you know what thesignature for the attack looks like, you can add the appropriate line to prevent this request from goingthrough.Configuration information for creating and using URL pattern matching with the HTTP proxy is found inyour product’s administrator guide.MIME TypesThe HTTP proxy can restrict access according to a list of MIME types. Each URL received is scanned to seeif its content-type matches a restricted MIME type. When a match is found, the Web page still downloads,but those components matching blocked MIME types do not. Unlike other restrictions, MIME restrictionsare global, affecting all HTTP connections. For additional information including a list of common MIMEtypes, see RFC 1521.Configuration information for restricting by MIME types is found in your product’s administrator guide.File ExtensionsThe file extensions list lets you define filename extensions that are allowed when you enable restrict by FileExtensions in the HTTP parameters for a service group that contains HTTP. When this service group isused in a rule, users can only retrieve URLs with the extensions listed; access to all other URLs is denied.This provides a way of allowing, for example, only text or HTML files, while restricting binary executables.Files with no extension are assumed by default to have .html extensions.Note: If you create this list, only the extensions you include in this list are allowed. Once this list is createdand applied to a rule, the default policy is to deny everything not on the list.Configuration information for restricting by file extensions is found in your product’s administrator’sguide.