how to block cineblog01 but enable all the other streaming media?

Solved
mishcazzulani
Here to help

how to block cineblog01 but enable all the other streaming media?

hello community

 

i need to block the ability to surf cineblog01, an illegal film streaming platform which changes hostname every 10 days (cineblog01.voto, cineblog01.ink, cineblog01.cloud)

 

i can't block the entire streaming media category

 

i'd like to do something like deny cineblog01.*

 

 

1 Accepted Solution
SoCalRacer
Kind of a big deal

I think you might have a couple options.

 

1) Block streaming media. Then start whitelisting the known good services you want to allow.

2) Start doing to research/packet captures on the data. Find out what port it is using or maybe it used a common CDN everyday even thought the domain in changing. Then block that URL.

3) If you have a small subset of users doing this, then you might create an alert or rule to block all internet after using 1GB of data on that service. Then coach the user or forward to their manager.

View solution in original post

10 Replies 10
MarcP
Kind of a big deal

Should be possible as you said:

 

Using the Catch-All Wildcard (*) in URLs

The asterisk symbol has two primary uses in URLs for content filtering.

  • Standalone Catch-All Wildcard
    • The " * " (asterisk) symbol when used on its own line is an all-inclusive wildcard which represents all possible entries

 

https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering

mishcazzulani
Here to help

thank you for your quick reply

 

if i use only the asterisk it blocks everything, instead:

 

  • The " * " (asterisk) symbol when used as part of a URL or in line with a URL is simply a regular asterisk symbol and is interpreted as part of the URL, NOT as a wildcard
wifijanitor
Meraki Employee
Meraki Employee

I think @MarcP was just pointing you to the Content filtering configuration area.

Under URL Blocking, you wouldn't put " * ", you would put "cineblog01.*" as you had wanted in your OP
BrechtSchamp
Kind of a big deal

I'm afraid it's not possible to block it that way.

 

An asterisk is evaluated as a literal asterisk when in an URL.

 

I first thought you could just put cineblog01, but that's not going to work either.

 

You could block the "Entertainment and Arts" url category, but then you'll be hitting a lot of other websites as well.

 

They don't happen to use a static IP range do they?

mishcazzulani
Here to help

@wifijanitor i already tried your suggestion and it doesn't work

 

in fact the line @MarcP quoted says: the " * " (asterisk) symbol when used on its own line is an all-inclusive wildcard which represents all possible entries

 

@BrechtSchamp  unfortunately not, the change also the ip range..

SoCalRacer
Kind of a big deal

I think you might have a couple options.

 

1) Block streaming media. Then start whitelisting the known good services you want to allow.

2) Start doing to research/packet captures on the data. Find out what port it is using or maybe it used a common CDN everyday even thought the domain in changing. Then block that URL.

3) If you have a small subset of users doing this, then you might create an alert or rule to block all internet after using 1GB of data on that service. Then coach the user or forward to their manager.

Nash
Kind of a big deal

@SoCalRacer‘s #3 has some keys. In the past with clients, I identified the culprit machine, we identified users of that machine, and they handled it as a management matter. 

 

Mgmt may want to turn this into solely a technical manner, but that leaves you responsible while letting mgmt not do the hard thing. Good luck.

PhilipDAth
Kind of a big deal
Kind of a big deal

What happens if you put just cineblog01 in the blocked URL patterns list?

BrechtSchamp
Kind of a big deal


@PhilipDAth wrote:

What happens if you put just cineblog01 in the blocked URL patterns list?


If the docs are correct then it wouldn't match. It would try to match cineblog01.voto and failing that it would try to match .voto.

SoCalRacer
Kind of a big deal

On the videos I checked they are all using the same CDN. So I would block that. Not sure if that will also change every day, but it is worth a shot. Also it seems like the service won't work without authenticating, when doing that it is doing it via the same primary domain (4kmovies.online) I would assume changing domains daily with DNS propagation and changing the location of the authentication service everyday has to be time consuming. Also IP range they are currently using is 104.31.77.0-104.31.77.255 and located in Chicago behind Cloudflare. I thought maybe you could try a block from a country outside if yours, but looks like that won't work.

 

cdn.4kmovies.online

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels