locked
Filter hostname requests via WFP RRS feed

  • Question

  • Hi there,

    i try to set up a filter to block a hostname via WFP. I searched the internet and this forum for it and found only some rare information. In this forum the answer is always that this is not possible, but the answers are quite old, so maybe there is today a solution available.

    I try to filter via WFP to block requests via hostname e.g. "www.google.com". There is maybe a possibility with FWPM_LAYER_NAME_RESOLUTION_CACHE_V4

    and 4 Conditions:

    FWPM_CONDITION_ALE_USER_ID, FWPM_CONDITION_ALE_APP_ID, FWPM_CONDITION_IP_REMOTE_ADDRESS and finally the important: FWPM_CONDITION_PEER_NAME. With the last parameter i tried to block www.google.com. Maybe i'm quite wrong with this suggestion ...

    I also created a xml file via "netsh wfp show state" and i received the following (only the interesting part, and there are more filters inside):

    <item>
     <filterKey>{24c21d1a-628e-43c5-8fd7-a59ad33f137f}</filterKey>
     <displayData>
      <name>Name Resolution Cache filter</name>
      <description>Cached name resolution event</description> 
     </displayData>
     <flags/>
     <providerKey/>
     <providerData/>
     <layerKey>FWPM_LAYER_NAME_RESOLUTION_CACHE_V4</layerKey>
     <subLayerKey>FWPM_SUBLAYER_UNIVERSAL</subLayerKey>
     <weight>
      <type>FWP_EMPTY</type>
     </weight>
     <filterCondition numItems="4">
      <item>
       <fieldKey>FWPM_CONDITION_ALE_USER_ID</fieldKey>
       <matchType>FWP_MATCH_EQUAL</matchType>
       <conditionValue>
        <type>FWP_SID</type>
        <sid>S-1-5-21-1024011789-1237596223-2747892489-15974</sid>
       </conditionValue>
      </item>
      <item>
       <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey>
       <matchType>FWP_MATCH_EQUAL</matchType>
       <conditionValue>
        <type>FWP_UINT32</type>
        <uint32>23.35.105.121</uint32>
       </conditionValue>
      </item>
      <item>
       <fieldKey>FWPM_CONDITION_ALE_APP_ID</fieldKey>
       <matchType>FWP_MATCH_EQUAL</matchType>
       <conditionValue>
        <type>FWP_BYTE_BLOB_TYPE</type>
        <byteBlob>
         <data>75006e007300700065006300690066006900650064000000</data>
         <asString>unspecified</asString>
        </byteBlob>
       </conditionValue>
      </item>
      <item>
       <fieldKey>FWPM_CONDITION_PEER_NAME</fieldKey>
       <matchType>FWP_MATCH_EQUAL</matchType>
       <conditionValue>
        <type>FWP_BYTE_BLOB_TYPE</type>
        <byteBlob>
         <data>67006f002e006d006900630072006f0073006f00660074002e0063006f006d000000</data>
         <asString>g.o...m.i.c.r.o.s.o.f.t...c.o.m...</asString>
        </byteBlob>
       </conditionValue>
      </item>
     </filterCondition>
     <action>
      <type>FWP_ACTION_PERMIT</type>
      <filterType/>
     </action>
     <rawContext>0</rawContext>
     <reserved/>
     <filterId>66773</filterId>
     <effectiveWeight>
      <type>FWP_UINT64</type>
      <uint64>1152921504606846975</uint64>
     </effectiveWeight>
    </item>


    With all that information, i tried to create a small sample project, but i cant get this Filter and Conditions to work. I receive always errors like index out of bounce, wrong filter or match type.

    So my questions are:
    Is this really not possible even today (And i could not believe that it is not possible ;))?

    Did someone got this filter to work or is there a sample code where this filter and conditions are properly set (In the Microsoft sample project is no sample included)?

    Are there other ways to block hostnames (blocking via IP address is not an option)?

    Thanks for help!



    • Edited by -ChrisD- Monday, September 28, 2015 12:57 PM
    Monday, September 28, 2015 12:51 PM

All replies

  • I'm not sure about the approach you've mentioned as I've not read the documentation of FWPM_LAYER_NAME_RESOLUTION_CACHE_V4.

    However, to my knowledge what you've asked for is achievable at the FWPM_LAYER_STREAM_V4 / FWPM_LAYER_STREAM_V6 layers.

    You could also use FWPM_LAYER_ALE_CONNECT_REDIRECT_V4 / WPM_LAYER_ALE_CONNECT_REDIRECT_V6 to redirect the underlying tcp connection into a user mode service. From there you can inspect the http headers for the hostname: attribute.

    Hope this helps

    • Proposed as answer by JST86 Wednesday, September 30, 2015 9:05 AM
    Wednesday, September 30, 2015 8:26 AM