cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
354
Views
0
Helpful
1
Replies

http uri inspect help

I am trying to block access to urls that include a certain file name as part of an exploit. Here is a sample URL:

http://www.someplace.com/index.php?exec%20udp.pl

What is usually common in the exploits I am looking to block is the udp.pl. Here is what I have so far, but the regex, even though it tests good so far in ASDM does not fire.

regex udp.pl "udp"

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match port tcp eq www

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect esmtp

inspect ftp strict

policy-map type inspect http http_inspect

parameters

protocol-violation action drop-connection log

match request uri regex udp.pl

drop-connection log

policy-map outside-policy

class outside-class

inspect http http_inspect

!

service-policy global_policy global

service-policy outside-policy interface outside

fw1# show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns migrated_dns_map_1, packet 122579, drop 37, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 65958, drop 0, reset-drop 0

Inspect: ftp strict, packet 31696, drop 50, reset-drop 43

Interface outside:

Service-policy: outside-policy

Class-map: outside-class

Inspect: http http_inspect, packet 716, drop 0, reset-drop 0

1 Reply 1

Not applicable

HTTP Inspection and URL Inspection are completely independent services. Enhanced HTTP inspection is configured via an 'http-map', which is then applied to the 'inspect htttp' statement.Both URL Filtering (via Websense and N2H2), and Java/ActiveX filtering are independant of enabling/disabling 'inspect http'.

Check this bug details: CSCsd80188

try this configuration guide for HTTP inspection.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1144258

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: