E2Guardian 3.5 SSLMITM Banned Phrase Blocking Not Working Consistently
689 views
Skip to first unread message
Jonathan Krueger
May 29, 2017, 9:47:07 PM5/29/17
to e2guardian
I'm trying to get SSL Man in the Middle Keyword Phrase Blocking working, but I seem to be running into some issues where pages with the keyword I'm specifically asking to have blocked aren't getting blocked. I'm trying to test that SSL filtering is truly working by trying to block the keyword "Jonathan." When I test it on Amazon.com, Google Search Results, etc, the pages get displayed. But when I click an SSL link to Wikipedia the page gets blocked as I expected to happen on Amazon and Google.
Does anyone know why this is happening?
Here's my configuration settings:
Using Default Group
Using Default Phrase List
General > Authentication - None selected
General > Weighted Phrase Mode: Normal
General > Lower Case Options: "force lower case"
General > Phrase Filter Mode: "smart only"
Users - Not checked
Groups > Default > Group Options with the following options selected:
-- Scan Clean Cache
-- Infection / Scan Error Bypass ...
-- Check Server SSL Certificates
-- Filter SSL Sites forging SSL Certificates
Groups > Default > Filtered Group Mode: Filtered
Groups > Default > Weighted Phrase Mode: Normal
Groups > Default > Naughtiness Limit: 100
Groups > Default > Search Limit: 30
ACLs > Phrase List > Default > Banned Lists > Config File - Added the following entries at the top :
<Jonathan>
< Jonathan >
< jonathan >
<jonathan>
NOTE: Yes, I know these entries are overkill since I have "force lower case" selected, but I was trying to ensure every possibility was covered, since I couldn't figure out why the blocking wasn't working consistently.
Steps to reproduce:
1. Navigate to the following URL: https://www.amazon.com/Jonathan-Thomas-Sarbacher/dp/B01NBALPRR/ It should be blocked since the word "Jonathan" appears 13 times on the page in various places. But it's not blocked.
2. Search Amazon.com for the word "Jonathan" Notice the search results are displayed.
3. Search Google.com for the word "Jonathan" Notice the search results are displayed.
4. Navigate to the following URL: https://en.wikipedia.org/wiki/Jonathan_(name) Notice the page is blocked as I would have expected.
If I've configured something incorrectly, please let me know. Otherwise, could someone let me know whether this is worth reporting as an issue on GitHub?
Thanks,
Jonathan
Does anyone know why this is happening?
Here's my configuration settings:
Using Default Group
Using Default Phrase List
General > Authentication - None selected
General > Weighted Phrase Mode: Normal
General > Lower Case Options: "force lower case"
General > Phrase Filter Mode: "smart only"
Users - Not checked
Groups > Default > Group Options with the following options selected:
-- Scan Clean Cache
-- Infection / Scan Error Bypass ...
-- Check Server SSL Certificates
-- Filter SSL Sites forging SSL Certificates
Groups > Default > Filtered Group Mode: Filtered
Groups > Default > Weighted Phrase Mode: Normal
Groups > Default > Naughtiness Limit: 100
Groups > Default > Search Limit: 30
ACLs > Phrase List > Default > Banned Lists > Config File - Added the following entries at the top :
<Jonathan>
< Jonathan >
< jonathan >
<jonathan>
NOTE: Yes, I know these entries are overkill since I have "force lower case" selected, but I was trying to ensure every possibility was covered, since I couldn't figure out why the blocking wasn't working consistently.
Steps to reproduce:
1. Navigate to the following URL: https://www.amazon.com/Jonathan-Thomas-Sarbacher/dp/B01NBALPRR/ It should be blocked since the word "Jonathan" appears 13 times on the page in various places. But it's not blocked.
2. Search Amazon.com for the word "Jonathan" Notice the search results are displayed.
3. Search Google.com for the word "Jonathan" Notice the search results are displayed.
4. Navigate to the following URL: https://en.wikipedia.org/wiki/Jonathan_(name) Notice the page is blocked as I would have expected.
If I've configured something incorrectly, please let me know. Otherwise, could someone let me know whether this is worth reporting as an issue on GitHub?
Thanks,
Jonathan
FredB
May 30, 2017, 2:42:15 AM5/30/17
to e2guardian
> Steps to reproduce:
> 1. Navigate to the following URL:
> https://www.amazon.com/Jonathan-Thomas-Sarbacher/dp/B01NBALPRR/ It
> should be blocked since the word "Jonathan" appears 13 times on the
> page in various places. But it's not blocked.
> 2. Search Amazon.com for the word "Jonathan" Notice the search
> results are displayed.
> 3. Search Google.com for the word "Jonathan" Notice the search
> results are displayed.
> 4. Navigate to the following URL:
> https://en.wikipedia.org/wiki/Jonathan_(name) Notice the page is
> blocked as I would have expected.
> If I've configured something incorrectly, please let me know.
Jose Torres
May 30, 2017, 1:07:03 PM5/30/17
to e2guardian
Johnathan I think you should include the conf file related to banned phrase list.
I do not recall the exact name but it is located in usr/local/etc/e2guardian/lists/
Jonathan K
May 30, 2017, 7:43:56 PM5/30/17
to e2guardian
I'm not sure why I see 3 files (it's possible it's something specific to the pfsense version of E2Guardian.) Regardless, I double checked to make sure all 3 had the block of the keyword Jonathan and the Amazon page still displays. See attachments.
Thanks,
Jonathan
Thanks,
Jonathan
FredB
May 31, 2017, 8:47:37 AM5/31/17
to e2guardian
ACLs > Phrase List > Default > Banned Lists ??? > Config File - Added the
following entries at the top :
<Jonathan>
< Jonathan >
< jonathan >
Tried
I just put <Jonathan> in /etc/e2guardian/list/bannedphrselist
I just put <Jonathan> in /etc/e2guardian/list/bannedphrselist
Steps to reproduce:
1. Navigate to the following URL:
https://www.amazon.com/Jonathan-Thomas-Sarbacher/dp/B01NBALPRR/ It
should be blocked since the word "Jonathan" appears 13 times on the
page in various places. But it's not blocked.
Work here
2. Search Amazon.com for the word "Jonathan" Notice the search
results are displayed.
Work here
3. Search Google.com for the word "Jonathan" Notice the search
results are displayed.
Work here
jetsyste...@gmail.com
May 31, 2017, 2:41:05 PM5/31/17
to e2guardian
Did you test it with 3.5.1?
The problem is seen on the FreeBSD 3.5.1 version.
Some people are seen other kind of erratic behavior.
https://forum.pfsense.org/index.php?topic=128116.msg723297#msg723297
FredB
Jun 1, 2017, 8:10:29 AM6/1/17
to jetsyste...@gmail.com, e2guardian
No, actually I'm using 4.x branch (retryfix is the next 4.1.1)
I guess @marcelloc is trying to make a version for Freebsd
I guess @marcelloc is trying to make a version for Freebsd
Comsci Com
Jan 12, 2021, 6:01:17 AM1/12/21
to e2guardian
I have got it working for HTTP but can't get it working for HTTPS has anyone got phrase list on HTTPS working ?
Philip Pearce
Jan 12, 2021, 9:39:53 AM1/12/21
to Comsci Com, e2guardian
It will work if you enable ssl MITM - can't work for https without this.
--
E2guardian:
https://groups.google.com/d/forum/e2guardian
Github:
https://github.com/e2guardian/e2guardian
Follow us on twitter:
https://twitter.com/e2guardian
---
You received this message because you are subscribed to the Google Groups "e2guardian" group.
To unsubscribe from this group and stop receiving emails from it, send an email to e2guardian+...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/e2guardian/894824cb-c11b-4019-9ab0-91a33b4dac09n%40googlegroups.com.
David B Jonas
Jan 12, 2021, 7:44:57 PM1/12/21
to Philip Pearce, e2guardian
Yes i have that enabled and it works for url matches but content matched i have worked out needs to have another option enabled.
In group setting enable SSL forging certificate and then you need to load the CA cert of pfsense onto all devices.
Now content filtering works as expected.
Regards,
David B Jonas
David B Jonas
Reply all
Reply to author
Forward
0 new messages