Hi Dennis,

Thank you for providing the screenshot. It works but what are the other shorten URL Links? The attacker may use other links and we want to automate if ESA can do that.

Thank you and best regards!

Hello,

You're very welcome! :) 

I typically don't use URL shortening services very often, so I'm not too sure what the most widely used ones are. With a quick search I was able to find the Wiki for URL Shortening that provides some common services used : https://en.wikipedia.org/wiki/URL_shortening#URL_shortening_services

You can probably search around a bit further if you're interested in others. All you would need to do at that point is edit your content filter to match on other services/URL's.

Thanks!

-Dennis M.

Hi Dennis,

Thank you for your prompt response!

CHEERS!

I know this is an old post..but now that google is migrating their shortened link service from GOO.GL to PAGE.LINK..is this something that will be added into the URL engine? is there a roadmap to add more URL shortener service being abused?

I open a TAC for this abuse,  but didn't get quite a good answer if this will be added or evolved.. and seem to have no other choice than block these URL until we get a clear answer if this will be handle.

Thank you

ref : https://firebase.google.com/support/guides/url-shortener

In the past, we do work to engage the currently seen shortener services in use.  These get updated on the ESA via the updater as Cisco evaluates and pushes those --- at times adding some, at other times removing old.  All controlled by the updater service running on ESA.

This is seen on the older AsyncOS versions applicable in websecurityadvancedconfig:

Do you want to enable URL filtering for shortened URLs? [Y]>

For shortened URL support to work, please ensure that ESA is able to connect to following domains:
bit.ly, tinyurl.com, ow.ly, tumblr.com, ff.im, youtu.be, tl.gd, plurk.com, url4.eu, j.mp, goo.gl, fb.me, alturl.com, wp.me, chatter.com, tiny.cc, ur.ly

Moving in 13.5, we will have Cloud URL Analysis (CUA) take this over.  The shortened URLs are deprecated into the Talos cloud-driven engine.  At which time, Talos will have this running from Cisco-side in the services that feed CUA, allowing a better field of services scanned for URL Analysis.

If there is a shortened URL domain that is NOT covered in the listing, you can open a support note directly to Talos: https://talosintelligence.com/reputation_center/support

The steps provided at the start of the thread here will still apply, too.  You can add something you feel is needed, but maybe not yet widely seen to have been included, and create a message or content filter.  One other area that may contain some of the shortened URL domains could be from an External Threat Feed.  If you subscribe and enable ETF on ESA, these may catch URLs in this fashion as well --- providing a second set of scan/detect, in addition to what Talos provide ESA already.

HTH.

-Robert