02-24-2009 11:46 PM - edited 03-11-2019 07:56 AM
Dear All,
we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.
One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.
please advice us how to do it. thanks.
02-25-2009 03:57 AM
Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )
02-25-2009 04:01 PM
Hi Vikram,
yes, that's what i meant. (user's typing ip addresses instead of name addresses)
02-25-2009 09:17 PM
Hi,
you can try this
#####################################
regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"
!
class-map type regex match-any domain-list
match regex ipurl
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
####################################
but if you are looking to filter https , you will have to go for a external url filtering server.
Hoping this is what you are looking for.
-vikram
02-25-2009 09:39 PM
nice...
~~~~~~~~~~~~~~~~~~~~~
!
class-map web
match port tcp eq www
!
~~~~~~~~~~~~~~~~~~~~~
for this portion, can we replace www with 443 ?
02-25-2009 09:44 PM
it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.
I tried it once with 443 and it didn't work. You can give it a shot though.
Vikram
02-26-2009 01:42 AM
the regex in my earlier reply is horribly wrong ,
will post a reply as soon as i have an accurate one
-Vikram
02-26-2009 02:57 AM
Hi,
the below regex will match anything but numbers in the host-header (http://<
and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )
#########################################
regex ipurl "[a-zA-Z]+"
!
class-map type regex match-any domain-list
match regex ipurl
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
##########################################
I really hope this is helpful to you.
-Vikram
02-26-2009 04:07 AM
hi.
thanks for the info. appreaciate the help that i received.
anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/
on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.
i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: