This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Blocking some streaming radio via Web Protection, Application Control Rules makes no effect

Hello,

My goal was to block some live radio streaming traffic for all users. In particular, I was hunting after the ShoutCast.

First, in the Flow Monitor, I noticed, this ShoutCast is being continuously used all days long. So, I clicked the button to block it. Confirmation message came up and a new rule was created in Web Protection, Application Control Rules:

This had no effect. Then, I added another rule to block any "Streaming Media" and "Streaming Media and Messaging" with Productivity <= 1 and Risk <= 5 (this would still allow YouTube):

This also had no effect. I can still see that some users are streaming the radio from the ShoutCast.

My UTM is 9.506-2
Web Filtering is enabled, Mode is transparent; HTTPS Scan Settings are URL filtering only.
There are several profiles configured for different groups of computers to allow/block Internet access for specific periods of time. Everything works as expected. So, my media streaming condition I want to apply additionally to URL filtering only for those groups who is allowed to general Internet at that time.

Am I missing something? I would appreciate any advise.



This thread was automatically locked due to age.
Parents
  • I would think that your AppCtrl rules would have worked to block everyone, so I think you should get a case open with Sophos Support.

    In the meantime, why not do this inside Web Filtering where you have more granular control over who's blocked and when?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob for your reply.

    You are right, the Web Filtering can be very precise on whom exactly and when exactly to block or allow. I was however trying to block very specific traffic, but for everyone and always. That way, I would still allow the YouTube for example, as it is often used for legitimate business purposes. The AppCtrl is supposed to do exactly that, to filter streaming media by assigning Productivity and Risk values as desired.

    Anyway, I wanted to explore what you suggested and created a new Filter Category for Streaming Media and named it as such. There was a category named "Entertainment / Culture", which I didn't want to block completely, this is why I came up with my own.

    Marked to block my "Streaming Media" in my newly created "No Streaming Media Filter Action".

    Configured my web filtering profile to include just my computer and assigned my "No Streaming Media Filter Action" as a filter action.

    Then, navigated to a web site broadcasting some news, ... and the radio was still working!

    I guess, the stuff that I am trying to block has not been categorized as streaming media.

    It bothers me when something is supposed to work, but it doesn't. Maybe I should open a case with Sophos. Or, I am doing something wrong?

  • Show us a representative line or two in the Web Filtering log where traffic passes that you intended to block.

    Cheer - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I tried three sources for live streaming sound: ShoutCast, AccuRadio and 680News.

    These logs were collected with AppCtrl rules on, and No Streaming Media in content filter on.

    The ShoutCast was blocked:
    2018:03:08-07:50:45 firewall-2 httpproxy[8374]: id="0066" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden application detected" action="block" method="CONNECT" srcip="192.168.0.136" dstip="5.39.58.74" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_HttProContaInterNetwo4 (No Streaming Media Profile)" filteraction="REF_HttCffNoAdsConteFilte (No Streaming Media Filter Action)" size="0" request="0xcd753000" url="https://www.shoutcast.com/" referer="" error="" authtime="0" dnstime="36092" cattime="30075" avscantime="0" fullreqtime="300317" device="0" auth="0" ua="" exceptions="" category="124" reputation="neutral" categoryname="Internet Radio/TV" application="SHOUTCAS" app-id="442"

    The second one, the AccuRadio was playing:
    2018:03:08-08:40:53 firewall-2 httpproxy[8374]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.0.136" dstip="52.85.112.110" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo4 (No Streaming Media Profile)" filteraction="REF_HttCffNoAdsConteFilte (No Streaming Media Filter Action)" size="755" request="0xd96f0a00" url="https://cdn.accuradio.com/" referer="" error="" authtime="0" dnstime="75051" cattime="120" avscantime="0" fullreqtime="5627148" device="0" auth="0" ua="" exceptions="" category="112" reputation="neutral" categoryname="Entertainment"

    680News was also playing, no problem:
    2018:03:08-07:53:03 firewall-2 httpproxy[8374]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="GET" srcip="192.168.0.136" dstip="23.59.154.41" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaInterNetwo4 (No Streaming Media Profile)" filteraction="REF_HttCffNoAdsConteFilte (No Streaming Media Filter Action)" size="66552" request="0xdaec4a00" url="radio_cftr-lh.akamaihd.net/.../segment152051357_48_a-p.ts referer="http://player.680news.com/" error="" authtime="0" dnstime="0" cattime="29690" avscantime="0" fullreqtime="192052" device="0" auth="0" ua="Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0" exceptions="" category="177" reputation="trusted" categoryname="Content Server" content-type="video/MP2T" application="akamai" app-id="799"

    Noticed something strange today. It started blocking YouTube video by the AppCtrl rule.

  • Go to TrustedSource - Check Single URL, Costas and suggest a re-categorization for http://player.680news.com/ and https://cdn.accuradio.com/.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you Bob.

    This appears to be useful. I never knew that I could suggest a category change!

    Will try!

  • Part of the issue is that the URL in the allowed traffic is akamai, not player.680news.com.  The web filter will not catch that most likely.

Reply Children
  • It would never get to Akamai, Darrell, if player.680news.com were blocked. [;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA