Thanks Steve can you send me

shubhamkulkarni39 · ‎07-17-2015

Hi all,

I have one question about Sourcefire URL Filtering,

As I know Sourcefire does not support SSL Encryption/decryption,

My Question is How does it blocks HTTPS Websites ? , eg: https://facebook.com.

Sergio Garrido · ‎07-29-2015

Hi shubhamkulkarni39

We have the same question a year ago.

We block HTTPS website using the follow trick:

Step 1:

Go to Object Management -> URL -> Individual Objects -> Add URL

Set name to the URL object, and type the url, for example, to block

Facebook, type "facebook.com" unquoted.

Step 2:

Go to the rule in Access control policy and associate this object to the rule.

Step 3:

Apply all changes, wait a litle time until the control policy status go from

"Appying to device" to "Policy Up-to-date on device"

Step 4:

Try your config.

I hope help you

dips00009 · ‎12-09-2016

Sergio,

Are you able to redirect the user to a custom webpage if they try to visit a HTTPS site or do they just wait for a timeout message to appear?

rcmcdermott11 · ‎08-14-2015

With the 5.4.x version of code you can perform SSL encryption/decryption and apply policy.

mythosmc1 · ‎08-17-2015

Are you sure? I thought you couldn't do SSL decryption with SourceFire and that you required separate SSL hardware

Do you have any documentation that shows its possible now?

rcmcdermott11 · ‎08-18-2015

Certain. See the traffic decryption section of the 5.4.1 user guide: http://www.cisco.com/c/en/us/td/docs/security/firesight/541/user-guide/FireSIGHT-System-UserGuide-v5401.html

steveahughes · ‎08-20-2015

To answer your question about how SourceFire filters URL traffic from HTTPS sites. SourceFire uses the Certificate name and SAN names that are sent from the remote end to your PC. Although the packet is sent as DTLS, the SAN names can be read in clear text. I have ran a packet capture to test.

shubhamkulkarni39 · ‎08-21-2015

Thanks Steve

can you send me the packet capture, it would be useful for me to understand.