Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 40 replies
  • Answers 4 answers
  • Subscribers 11 subscribers
  • Views 169859 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Snapchat - Host Not Found

JasonMiles
Am puzzled but this Sophos UTM error.  Was hoping someone might be able to assist.

I can access Snapchat from my iPhone via LTE cellular without issue.  However I'm unable to access from my iPhone via wi-fi when attempting to connect from behind my Sophos UTM with HTTPS Decrypt & Scan enabled.

Even when I create a web filtering exception for Snapchat, I still receiving this error repeatedly.  Seems to be trying to access a www.feelinsonice.com URL that it cannot resolve?  It keeps returning a BLOCK and "Host Not Found":

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.0.43" dstip="" user="" ad_domain="" statuscode="502" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="2623" request="0xdef78000" url="www.feelinsonice.com/" referer="" error="Host not found" authtime="0" dnstime="226" cattime="0" avscantime="0" fullreqtime="231808" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.6.34.30" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="186" request="0xdeeb3800" url="data.flurry.com/" referer="" error="" authtime="0" dnstime="34189" cattime="0" avscantime="0" fullreqtime="138177" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:27 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="74.125.30.141" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="3849" request="0xe0086800" url="sc-analytics.appspot.com/" referer="" error="" authtime="0" dnstime="334" cattime="0" avscantime="0" fullreqtime="139336" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,cache,fileextension,size,patience"

2015:07:05-21:44:30 oscar httpproxy[15843]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.43" dstip="17.167.194.205" user="" ad_domain="" statuscode="200" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="4981" request="0xbf95000" url="gsp10-ssl.apple.com/" referer="" error="" authtime="0" dnstime="115864" cattime="0" avscantime="0" fullreqtime="363084" device="0" auth="0" ua="" exceptions="av,auth,content,url,ssl,certcheck,certdate,mime,fileextension"


This thread was automatically locked due to age.
Parents
  • +2

    It looks like the issue is caused by two things:

    1) There is no DNS entry for "www.feelinsonice.com"
    2) The "Pharming protection" feature of the web filtering proxy is broken...

    Here is how I worked around these problems:

    1) Create a static DNS entry for "www.feelinsonice.com" pointing to IP address "74.6.34.30'
    2) In the Sophos UTM web management GUI go to "Web Protection" -> "Filtering Options" -> "Misc" tab. Scroll down to the bottom and deselect / disable "Enable Pharming protection"...

  • 0 in reply to MartijnTigchelaar

    I got the same problem and this works for me.

    Adding exeption for ^https?://([A-Za-z0-9.-]*\.)?feelinsonice\.com/ does not work

    Is there a way to use an exeption rule that works?

  • +1 in reply to stegman

    So far the only way to get snap chat to work is to got Webprotection then to Filtering options then to Misc and scroll to the bottom and uncheck Pharming Protection.  No exceptions or settings seem to work.

  • 0 in reply to RobertAdelman

    RobertAdelman said:

    So far the only way to get snap chat to work is to got Webprotection then to Filtering options then to Misc and scroll to the bottom and uncheck Pharming Protection.  No exceptions or settings seem to work.

    I was able to work around this in UTM 9 without disabling Pharming Protection.  Am still a bit unclear what exactly worked.

  • 0 in reply to JasonMiles

    I have confirmed this in SFOS and 99% sure it is the same in UTM.

    In this case:
    client makes a tcp connection to 146.148.72.110:443
    the connection has SNI of www.feelinsonice.com
    Because pharming protection is on, UTM does not trust that www.feelinsonice.com is really 146.148.72.110
    UTM does dns lookup for www.feelinsonice.com
    DNS lookup fails
    UTM cannot connect to the far server because it is unresolvable
    UTM does SSL handshake with client using its own CA to present error message.

    There are two workarounds:

    Workaround 1: turn off pharming protection

    Workaround 2: Go to Network Definitions and add a Host object, making sure to fill in the ipv4 address and the DNS settings for Hostname.
    146.148.72.110 www.feelinsonice.com

    Note: For all I know snapchat has its own weird way of choosing where to connect to.  I know that in one instance 146.148.72.110 was the destination.  A "more correct" solution would be to tcpdump or turn on additional logging so that you can determine what ip your snapchat is connecting to, in case there are regional differences.

  • 0 in reply to Michael Dunn

    Thanks Michael Dunn for this insight.  This made me think of a similar issue I was having and couldn't find a fix (ended up disabling HTTPS scanning altogether).  Not ideal.

    With some mobile apps, I can filter in Livelog the traffic to and from a specific IP within web filtering.  However there have been cases where a mobile app, for example American Express Serve app, is unable to login to a user account with filtering enabled.  When I view the web filtering log for anomalies and blocked pages, there are none.  It's as if the web filtering log isn't complete or detailed enough for me to identify urls/pages for which I need to add other exceptions.

    Is there additional web filtering that can be enabled?

  • 0 in reply to JasonMiles

    There is additional logging that dev or support can turn on, however at this time I don't know if that is public information.  It opens up another can of worms, and the developer level logging may lead you down wrong paths of understanding.

    However what you can do is use WireShark or Fiddler to watch all your traffic.  WireShark is a tcpdump so you can see all HTTP, DNS, and other traffic leaving your client machine, however inspecting HTTPS is a pain.  Fiddler is a windows on-box proxy that lets you monitor all HTTP and HTTPS traffic, but it makes the traffic standard mode and not transparent mode.

    For mobile apps, run tcpdump on the box then copy it to Windows and read the logs in WireShark.

  • 0 in reply to Michael Dunn

    Michael Dunn said:

    For mobile apps, run tcpdump on the box then copy it to Windows and read the logs in WireShark.

    Appreciate the recommendation.  Does tcpdump show the traffic in numeric IP addresses (1.2.3.4) or does it resolve it to FQDNs (server.microsoft.com)?  I'll give it a try!

  • 0 in reply to JasonMiles

    tcpdump will dump the raw tcp packets including the source and destination ip and port.

    Then after the packet capture you need to read those packets.  The linux tcpdump command line tool can do some things but it is better to load that capture into a graphical tool such as WireShark.  I'm not sure, but I suspect wireshark could resolve the ip's for you however they would be resolved at the time of displaying the log, not resolved by the SFOS box during capture - since during capture there are no hostnames.

    ask.wireshark.org/.../can-wireshark-automatically-resolve-the-ip-address-into-host-names

     

Reply Children
No Data
Unfiltered HTML