Search

Support

Allow full sites like Facebook without tracking down https links!

This post has 24 Replies | 9 Followers

Top 200 Contributor
Posts 14
Reply
lvmcinto replied on 24 May 2011 9:00

more efficient would be

 

^https?://.*facebook\.com/

The last .* is unneccessary and .* in general adds a high utilization hit.  The $ is also unnecessary as it denotes the end of the line.  that would be impled in a URL after the .com/

To match the .com, you must escape the period.  In regex, period matches any character, so facebookscom would match with your current regex.

 

For all the IP based rules, same thing about periods and .*  don't use them unless necessary.

Your regex .*69.63.19[0-1]\.[0-9]{1,3}.*
would match blahblah69s63s190.11.badsite.com

 

this is why Regex is a bad idea.  It's a great tool, but many times the solution becomes the problem.

 

|
Not Ranked
Posts 2
Reply
WINNJ replied on 24 May 2011 10:10

Good points, thank you for your post.  I still think that having the discussion about the correct use of regex is better than telling people not to use it.  Ideally, I would use the literal URLs but the demand was to unblock this ASAP and regex served my purpose without recategorizing or allowing all social media sites.

From my understanding a "\" preceding the period changes the special meaning of the character so that it is literally a period. So another character should not be tranposed.  Also, in the Websense technical library I found that "?" is not a supported character and did not work with my testing, so I had to get around this with the OR statement.

The period before the IP address was just lazy I suppose, it was intended to cover http, https or just the plain IP address.  I will definately get this fixed.

|
Top 200 Contributor
Posts 14
Reply
lvmcinto replied on 24 May 2011 10:25

you're right that the \. is a literal period, and that's what you want for facebook.com or IP addresses.  otherwise you'd match something different.

to cover http and https, https?:// works and is pretty efficient. 

One other thing is that a lot of Websense customers aren't very technical.  So I can understand the approach from their side.  You don't want to be in the business of supporting regex in addition to your product.

|
Top 10 Contributor
Posts 749
Trusted Users (MVP)
Reply
Glitch replied on 24 May 2011 11:15

I'm sorry lvmcinto but you're either wrong or don't understand the situation and you're going to end up confusing people.  Most people do not have the option of filtering HTTPS by URL.

Most Websense integrations can only filter HTTPS requests by destination IP address, not by URL.  This is due to the nature and implementation of most integrations where they are out of band and cannot see what you typed in due to the HTTPS encryption.  Websense Content Gateway (and probably other proxy integrations like with an ISA server) are exceptions where they can do by URL because they're in path of the traffic.

Your concerns about using IP based filtering with regex are valid, however in many situations it's the only option.

|
Top 200 Contributor
Posts 14
Reply
lvmcinto replied on 24 May 2011 11:25

No, I understand exactly what is being said...  I just don't think you are considering all the options with regex.  My post does not imply that you should not use IP adddresses at all.  It means that when you use Regex, you need to be careful and truly understand what you're doing.

Yes, a lot of implentations can only use IP for https, but if you are specifying the protocol in front of an IP, you can still do that as https?://

The literal periods are still needed in an IP as well. 

Three regex examples of IP rules and what would match

  • https?://10\.11\.12\.

is a match for http://10.11.12.123 OR https://10.11.12.123

  • 10\.11\.12\.

is a match for http://10.11.12.1 OR https://10.11.12.1

  • 10.11.12.

is a match for http://10.11.12.1 OR http://1091191291 OR https://10.11.12.1 OR https://1091191291

When I do regex rules for IP addresses, I use the second option.  That will cover any other protocols like FTP or HULU:// etc detected by network agent.

A final note, ALWAYS use the built in regex checker for Websense.  Websense's implementation of regex is not pcre or POSIX or what any other regex tools will test for.

|
Not Ranked
Posts 2
Reply
ab7734 replied on 1 Jul 2011 10:08

lvmcinto, that example just helped me out a lot. 

The regex examples offered on Websense's support page doesn't even mention how to list IP ranges this way.

Your example (the 2nd one) shows how to list a range of IPs with the 1st three octets all being static, and the 4th being completely unfiltered.  That's really helpful, but do you know how one would also list the 3rd octet as well as the 4th as variable?  When I try just the \. for the 3rd octet it fails to meet the Websense regex checker tool's requirements.  So I'm stuck only being able to unfilter the 4th octet wen I need to unfilter the 3rd and 4th. octets

What we are trying to do it list a huge range of IPs mandated by Cisco Webex in a Websense Custom URLs list.  See the Webex support KB artticle WBX264, if you're interested in viewing the range of IPs.  This is all https too, and we have no Websense Content Gateway, so we have to list IPs instead of URLs.

Thanks.

 

 

|
Top 200 Contributor
Posts 14
Reply
lvmcinto replied on 1 Jul 2011 11:07

Large IP ranges can be tricky... You very frequently have to break them into several regexes.  While a single regex could be built for many, they would me fairly processor intensive and may impact performance.

I'll take an example from the Webex site:  64.68.96.0 - 64.68.127.255 (or 64.68.96.0/19)

The numbers in parentheses are the 3rd octet matches.


64\.68\.9[6-9]\.              (96-99)
64\.68\.1[0-1][0-9]\.       (100-119)
64\.68\.12[0-7]\.             (120-129)

|
Not Ranked
Posts 2
Reply
ab7734 replied on 8 Jul 2011 12:17 PM

Hey this worked well thank you a ton. 

I should note the Regex examples on the Websense site are sorely lacking.  This link;

http://www.websense.com/content/support/library/email/hosted/admin_guide/regex.aspx

...shows how to list IP addresses, but it completely doesn't work with the Regex test tool built in to Websense..  The way lvmcinto has them listed does work.

Also, I had to list an IP range for UPS World Ship software to work, and ended up actually having to unfilter the entire 3rd octet for a range, which I ended up doing like this:


For the range:

153.2.0.0 - 153.2.255.255

Put in these RegExes:


153.2\.[0-9]\.  (0-9)
153.2\.[1-9][0-9]\.  (10-99)
153.2\.1[0-9][0-9]\.  (100-199)
153.2\.2[0-5][0-5]\.  (200-255)

 

|
Not Ranked
Posts 2
Reply
bigfredi replied on 2 Feb 2012 4:34

I've used

^https?://.*\.facebook\.com

to avoid fake domains like whateverfacebook.com

In regards to the product... I can understand how I can allow a user to use facebook apps or facebook email, but to allow facebook in general I have to create particular rules, or the whole social area.

|
Not Ranked
Posts 2
Reply
bigfredi replied on 2 Feb 2012 4:41

Sorry, that was a too quick reply :-D

I've used

^https?://.*\.facebook\.com

to avoid fake domains like whateverfacebook.com

In regards to the product... I can't understand how I can allow a user to use facebook apps or facebook email, but to allow facebook in general I have to create particular rules, or the whole social area.

I don't understand how facebook, twitter and alike don't have their own category under social.

|
Page 2 of 2 (25 items) < Previous 1 2 | RSS