Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
462
Views
0
Helpful
5
Replies

allow 1 url while blocking others

art_henry
Level 1
Level 1

‎05-14-2007 10:49 AM - edited ‎03-10-2019 03:36 AM

Hello All,

I am running an ASA w/AIP. What I would like to do is block all url request for .php except for 1 url. The engine being used for the custom signature is service-http.

I have tried ([^(allow.site)][A-Za-z][0-9])*\x2E([Pp\x50\x70][Hh\x48\x68][Pp\x50\x70])

After configuring this custom signature the IPS complains that all signatures might not fire and signatures should be retired. I've tried to reduce the signatures but the custom signature is still to demanding. My question is, are there any other suggestions as to how this can be achieved?

Thanks

Labels:
0 Helpful
5 Replies 5

art_henry
Level 1
Level 1

‎05-21-2007 11:53 AM

bump...any ideas?

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to art_henry

‎05-21-2007 08:48 PM

You should have the latest signature version installed, as there has been some modification that helped in the memory side, compared to some older signature version.

I think something like this should do (have to define allow.site more).

[^(allow.site)][.][Pp][Hh][Pp]

Also, if the port the traffic is expected on is a port listed on WEBPORTS under signature variable in IDM, define the port as #WEBPORTS

Otherwise, please clarify what is the url you want to allow, and a sample of what you do not want to allow.

0 Helpful

art_henry
Level 1
Level 1
In response to edadios

‎05-22-2007 08:33 AM

edadios,

Thanks for the suggestions. I did upgrade from signatures 280 to 287. The traffic is a webport, in fact it is a custom variable as the amount of ports configured in web ports weren't necessary. I also followed your suggestion in trimming down the regular expresion. Unfortunately I still get the resource warning "Warning: WARNING: Insufficient resources available to combine all currently acti

ve custom regexes. Some alerts will not fire. Consider retiring signatures until

this message no longer occurs."

0 Helpful

edadios
Cisco Employee
Cisco Employee
In response to art_henry

‎05-22-2007 05:47 PM

From your statement

"in fact it is a custom variable as the amount of ports configured in web ports weren't necessary"

You should still use the #WEBPORTS, and also remove the custom variable you have created if it is a subset of #WEBPORTS.

If you have other custom signatures you have already created on the sensor, that could be adding to the issue with resources.

Otherwise, I believe you already have a service request logged, I suggest you forward the information pertaining to this issue through that SR, so we could obtain from you further information about your ASA that could help in determining cause for your issue.

It would help to have the existing configuration of the sensor, and what the actual regular expression you are trying to add.

Providing a sample capture traffic of what you want to be allowed, and what you want the sensor to alarm on, by uploading it to the service request, we could help in writing the custom signature for you.

0 Helpful

art_henry
Level 1
Level 1
In response to edadios

‎05-23-2007 06:53 AM

Thank you for your comments. The SR I have is not to address the intensity of the signature it is another issue, but I will pursue further with a SR. Thanks again.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card