Om dere kjører Least Privilege for brannmurer ut mot internett (det skal ikke være et om, da dette er noe dere MÅ gjøre), vil henting av crl og crt være litt problematisk da det ikke gir noen URL dere kan matche på, og da må man tillate all web-browsing, som er uheldig. Her er to stk custom App-IDs dere kan legge sammen med OCSP:
CRL App-ID
set application CRL default port tcp/80
set application CRL signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match pattern “.*\.crl HTTP.*”
set application CRL signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match context http-req-uri-path
set application CRL signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match qualifier http-method value GET
set application CRL signature “GET CRL File” and-condition “And Condition 2” or-condition “Or Condition 1” operator pattern-match pattern .*((application\/pkix-crl)|(application\/x-pkcs7-crl)|(text\/plain)).*
set application CRL signature “GET CRL File” and-condition “And Condition 2” or-condition “Or Condition 1” operator pattern-match context http-rsp-headers
set application CRL signature “GET CRL File” scope session
set application CRL signature “GET CRL File” order-free no
set application CRL category networking
set application CRL subcategory infrastructure
set application CRL technology client-server
set application CRL description “matches CRL download”
set application CRL risk 1
set application CRL has-known-vulnerability yes
set application CRL file-type-ident yes
set application CRL virus-ident yes
set application CRL data-ident yes
CRT App-ID
set application CRT default port tcp/80
set application CRT signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match pattern “.*\.crt HTTP.*”
set application CRT signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match context http-req-uri-path
set application CRT signature “GET CRL File” and-condition “And Condition 1” or-condition “Or Condition 1” operator pattern-match qualifier http-method value GET
set application CRT signature “GET CRL File” and-condition “And Condition 2” or-condition “Or Condition 1” operator pattern-match pattern .*((application\/pkix-cert)|(application\/x-pkcs7-crl)|(text\/plain)).*
set application CRT signature “GET CRL File” and-condition “And Condition 2” or-condition “Or Condition 1” operator pattern-match context http-rsp-headers
set application CRT signature “GET CRL File” scope session
set application CRT signature “GET CRL File” order-free no
set application CRT category networking
set application CRT subcategory infrastructure
set application CRT technology client-server
set application CRT description “matches CRT download”
set application CRT risk 1
set application CRT has-known-vulnerability yes
set application CRT file-type-ident yes
set application CRT virus-ident yes
set application CRT data-ident yes
Slik blir regelen
Leave a Reply