Application Signatures for HTTP Filtering

You allow your internal clients to access the Internet, but want to limit their use of some applications. You can block their use of applications that run over HTTP by using the HTTP filtering capability of ISA Server 2004. But to block the application, you need the application signature. Here's how you find the signature:

Use a network traffic capturing utility, such as Network Monitor (known affectionately in some circles as NetMon). Install the utility on ISA Server. Best to do this sort of thing in a lab, unless you're completely comfortable about the security effects of the utility you use. Configure the utility to capture packets from a specific client.

On that client, access the application you're interested in. In the monitoring utility, find the HTTP request packet from the client (usually follows handshake packets) and look for a signature in the packet. A little finesse is needed, because you want to pick a signature that is general enough to always block the application, but not so specific that it blocks everything. For example, the signature "a" is a little too generic.

Once you've located a signature, you can add it to the Signatures tab of the HTTP policy for the access rule, and test it in production.

You can read more about this in the document "HTTP Filtering in ISA Server 2004", at http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/httpfiltering.mspx.

Nathan Bigman, ISA Server Product Team