MPF question

Federico Coto Fajardo · ‎06-24-2010

Hi,

ASA 5510 with no IPS/CSC modules.

Can I use the MPF to prevent files with extension .torrent from being downloaded?

Can you specify this using HTTP inspection or regex?

Thank you,

Federico.

Diego Armando Cambronero Arias · ‎06-24-2010

I'm not sure I think that Regex will only work for URL or URI. For example URLs and URI with the .exe or .torrent

check this

https://supportforums.cisco.com/docs/DOC-1268

Federico Coto Fajardo · ‎06-24-2010

Exactly, I saw that document, but I don't see how to tell the ASA what to do when attemting to download a .torrent file.

I know that can be done with IPS, but again that is not the case.

Federico.

charradke · ‎08-09-2010

Here you go bud. I tested this with .pdf files and it worked. I'm not brave enough to go to a torrent site to test this. If you're interested, here is my understanding of why it works: GET /en/US/docs/security/asa/asa83/command/reference/cmdref.pdf HTTP/1.1

"/en/US/docs/security/asa/asa83/command/reference/cmdref.pdf" is the URI

regex TORRENT ".*\.([Tt][Oo][Rr][Rr][Ee][Nn][Tt])"

class-map type inspect http match-any TORRENT
match request uri regex TORRENT

policy-map type inspect http TORRENT
parameters
protocol-violation action drop-connection
match request uri regex TORRENT
drop-connection log

policy-map global_policy
class inspection_default
inspect http TORRENT

A more elaborate configuration can be found here: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml