allow 1 url while blocking others

Unanswered Question
May 14th, 2007

Hello All,

I am running an ASA w/AIP. What I would like to do is block all url request for .php except for 1 url. The engine being used for the custom signature is service-http.

I have tried ([^(allow.site)][A-Za-z][0-9])*\x2E([Pp\x50\x70][Hh\x48\x68][Pp\x50\x70])

After configuring this custom signature the IPS complains that all signatures might not fire and signatures should be retired. I've tried to reduce the signatures but the custom signature is still to demanding. My question is, are there any other suggestions as to how this can be achieved?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
edadios Mon, 05/21/2007 - 20:48

You should have the latest signature version installed, as there has been some modification that helped in the memory side, compared to some older signature version.

I think something like this should do (have to define allow.site more).

[^(allow.site)][.][Pp][Hh][Pp]

Also, if the port the traffic is expected on is a port listed on WEBPORTS under signature variable in IDM, define the port as #WEBPORTS

Otherwise, please clarify what is the url you want to allow, and a sample of what you do not want to allow.

art_henry Tue, 05/22/2007 - 08:33

edadios,

Thanks for the suggestions. I did upgrade from signatures 280 to 287. The traffic is a webport, in fact it is a custom variable as the amount of ports configured in web ports weren't necessary. I also followed your suggestion in trimming down the regular expresion. Unfortunately I still get the resource warning "Warning: WARNING: Insufficient resources available to combine all currently acti

ve custom regexes. Some alerts will not fire. Consider retiring signatures until

this message no longer occurs."

edadios Tue, 05/22/2007 - 17:47

From your statement

"in fact it is a custom variable as the amount of ports configured in web ports weren't necessary"

You should still use the #WEBPORTS, and also remove the custom variable you have created if it is a subset of #WEBPORTS.

If you have other custom signatures you have already created on the sensor, that could be adding to the issue with resources.

Otherwise, I believe you already have a service request logged, I suggest you forward the information pertaining to this issue through that SR, so we could obtain from you further information about your ASA that could help in determining cause for your issue.

It would help to have the existing configuration of the sensor, and what the actual regular expression you are trying to add.

Providing a sample capture traffic of what you want to be allowed, and what you want the sensor to alarm on, by uploading it to the service request, we could help in writing the custom signature for you.

art_henry Wed, 05/23/2007 - 06:53

Thank you for your comments. The SR I have is not to address the intensity of the signature it is another issue, but I will pursue further with a SR. Thanks again.

Actions

This Discussion