02-24-2009 11:46 PM - edited 03-11-2019 07:56 AM
Dear All,
we are having problem as end users have a lot of spyware/walware and have illegal proxy install in the lan.
One of the idea is to deny HTTPS or "CONNECT" type http, at the "inside fwsm/asa" to any ip-base url destination. Since the ip-base url are random, maybe regex could help.
please advice us how to do it. thanks.
02-25-2009 03:57 AM
Hi, could you explain what do you mean by an ip-base url ( does it mean users typing in the ip addresses in the browser instead of domain-name's. )
02-25-2009 04:01 PM
Hi Vikram,
yes, that's what i meant. (user's typing ip addresses instead of name addresses)
02-25-2009 09:17 PM
Hi,
you can try this
#####################################
regex ipurl "\.[0-255]\.[0-255]\.[0-255]\.[0-255]"
!
class-map type regex match-any domain-list
match regex ipurl
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
####################################
but if you are looking to filter https , you will have to go for a external url filtering server.
Hoping this is what you are looking for.
-vikram
02-25-2009 09:39 PM
nice...
~~~~~~~~~~~~~~~~~~~~~
!
class-map web
match port tcp eq www
!
~~~~~~~~~~~~~~~~~~~~~
for this portion, can we replace www with 443 ?
02-25-2009 09:44 PM
it wouldn't work if you replace "www" with "443" because the traffic is encrypted , for this very reason you will have to opt for an external URL filtering server.
I tried it once with 443 and it didn't work. You can give it a shot though.
Vikram
02-26-2009 01:42 AM
the regex in my earlier reply is horribly wrong ,
will post a reply as soon as i have an accurate one
-Vikram
02-26-2009 02:57 AM
Hi,
the below regex will match anything but numbers in the host-header (http://<
and the below code would drop the http connection as long as there is no a-z or A-Z in the host-header ( which is basically only numbers in the host-header )
#########################################
regex ipurl "[a-zA-Z]+"
!
class-map type regex match-any domain-list
match regex ipurl
!
class-map web
match port tcp eq www
!
policy-map type inspect http URL
parameters
match not request header host regex class domain-list
drop-connection
!
policy-map global_policy
class web
inspect http URL
!
##########################################
I really hope this is helpful to you.
-Vikram
02-26-2009 04:07 AM
hi.
thanks for the info. appreaciate the help that i received.
anyway, the real problem is due to this software which can bypass content filtering and firewall configuration. http://www.ultrareach.net/
on the content filtering server, we have manage it by applying deny "connect" regex ip addresses url. so i was thinking if there is anyway we can eliminate it on fwsm in case if the lan do not have content filtering servers.
i will check in the near future as i dont have any spare asa for now, and i will responce for any update later. thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide