allow 1 url while blocking others

Unanswered Question
May 14th, 2007
User Badges:

Hello All,

I am running an ASA w/AIP. What I would like to do is block all url request for .php except for 1 url. The engine being used for the custom signature is service-http.

I have tried ([^(][A-Za-z][0-9])*\x2E([Pp\x50\x70][Hh\x48\x68][Pp\x50\x70])

After configuring this custom signature the IPS complains that all signatures might not fire and signatures should be retired. I've tried to reduce the signatures but the custom signature is still to demanding. My question is, are there any other suggestions as to how this can be achieved?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
edadios Mon, 05/21/2007 - 20:48
User Badges:
  • Silver, 250 points or more

You should have the latest signature version installed, as there has been some modification that helped in the memory side, compared to some older signature version.

I think something like this should do (have to define more).


Also, if the port the traffic is expected on is a port listed on WEBPORTS under signature variable in IDM, define the port as #WEBPORTS

Otherwise, please clarify what is the url you want to allow, and a sample of what you do not want to allow.

art_henry Tue, 05/22/2007 - 08:33
User Badges:


Thanks for the suggestions. I did upgrade from signatures 280 to 287. The traffic is a webport, in fact it is a custom variable as the amount of ports configured in web ports weren't necessary. I also followed your suggestion in trimming down the regular expresion. Unfortunately I still get the resource warning "Warning: WARNING: Insufficient resources available to combine all currently acti

ve custom regexes. Some alerts will not fire. Consider retiring signatures until

this message no longer occurs."

edadios Tue, 05/22/2007 - 17:47
User Badges:
  • Silver, 250 points or more

From your statement

"in fact it is a custom variable as the amount of ports configured in web ports weren't necessary"

You should still use the #WEBPORTS, and also remove the custom variable you have created if it is a subset of #WEBPORTS.

If you have other custom signatures you have already created on the sensor, that could be adding to the issue with resources.

Otherwise, I believe you already have a service request logged, I suggest you forward the information pertaining to this issue through that SR, so we could obtain from you further information about your ASA that could help in determining cause for your issue.

It would help to have the existing configuration of the sensor, and what the actual regular expression you are trying to add.

Providing a sample capture traffic of what you want to be allowed, and what you want the sensor to alarm on, by uploading it to the service request, we could help in writing the custom signature for you.

art_henry Wed, 05/23/2007 - 06:53
User Badges:

Thank you for your comments. The SR I have is not to address the intensity of the signature it is another issue, but I will pursue further with a SR. Thanks again.


This Discussion