http uri inspect help

Unanswered Question
Sep 4th, 2007
User Badges:

I am trying to block access to urls that include a certain file name as part of an exploit. Here is a sample URL:


http://www.someplace.com/index.php?exec%20udp.pl


What is usually common in the exploits I am looking to block is the udp.pl. Here is what I have so far, but the regex, even though it tests good so far in ASDM does not fire.


regex udp.pl "udp"

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match port tcp eq www

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect esmtp

inspect ftp strict

policy-map type inspect http http_inspect

parameters

protocol-violation action drop-connection log

match request uri regex udp.pl

drop-connection log

policy-map outside-policy

class outside-class

inspect http http_inspect

!

service-policy global_policy global

service-policy outside-policy interface outside


fw1# show service-policy


Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns migrated_dns_map_1, packet 122579, drop 37, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 65958, drop 0, reset-drop 0

Inspect: ftp strict, packet 31696, drop 50, reset-drop 43


Interface outside:

Service-policy: outside-policy

Class-map: outside-class

Inspect: http http_inspect, packet 716, drop 0, reset-drop 0

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Mon, 09/10/2007 - 11:27
User Badges:

HTTP Inspection and URL Inspection are completely independent services. Enhanced HTTP inspection is configured via an 'http-map', which is then applied to the 'inspect htttp' statement.Both URL Filtering (via Websense and N2H2), and Java/ActiveX filtering are independant of enabling/disabling 'inspect http'.


Check this bug details: CSCsd80188


try this configuration guide for HTTP inspection.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1144258

Actions

This Discussion