I am trying to block access to urls that include a certain file name as part of an exploit. Here is a sample URL:
http://www.someplace.com/index.php?exec%20udp.pl
What is usually common in the exploits I am looking to block is the udp.pl. Here is what I have so far, but the regex, even though it tests good so far in ASDM does not fire.
regex udp.pl "udp"
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match port tcp eq www
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
inspect ftp strict
policy-map type inspect http http_inspect
parameters
protocol-violation action drop-connection log
match request uri regex udp.pl
drop-connection log
policy-map outside-policy
class outside-class
inspect http http_inspect
!
service-policy global_policy global
service-policy outside-policy interface outside
fw1# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 122579, drop 37, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 65958, drop 0, reset-drop 0
Inspect: ftp strict, packet 31696, drop 50, reset-drop 43
Interface outside:
Service-policy: outside-policy
Class-map: outside-class
Inspect: http http_inspect, packet 716, drop 0, reset-drop 0