Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

MPF question

Hi,

ASA 5510 with no IPS/CSC modules.

Can I use the MPF to prevent files with extension .torrent from being downloaded?

Can you specify this using HTTP inspection or regex?

Thank you,

Federico.

3 REPLIES

Re: MPF question

I'm not sure I think that Regex will only work for URL or URI. For example URLs and URI with the .exe or .torrent

check this

https://supportforums.cisco.com/docs/DOC-1268

Re: MPF question

Exactly, I saw that document, but I don't see how to tell the ASA what to do when attemting to download a .torrent file.

I know that can be done with IPS, but again that is not the case.

Federico.

Community Member

Re: MPF question

Here you go bud.  I tested this with .pdf files and it worked.  I'm not brave enough to go to a torrent site to test this.  If you're interested, here is my understanding of why it works:  GET /en/US/docs/security/asa/asa83/command/reference/cmdref.pdf HTTP/1.1

"/en/US/docs/security/asa/asa83/command/reference/cmdref.pdf" is the URI

regex TORRENT ".*\.([Tt][Oo][Rr][Rr][Ee][Nn][Tt])"

class-map type inspect http match-any TORRENT
match request uri regex TORRENT

policy-map type inspect http TORRENT
parameters
  protocol-violation action drop-connection
match request uri regex TORRENT
  drop-connection log


policy-map global_policy
class inspection_default
  inspect http TORRENT

A more elaborate configuration can be found here: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

246
Views
0
Helpful
3
Replies
CreatePlease to create content