I am running an ASA w/AIP. What I would like to do is block all url request for .php except for 1 url. The engine being used for the custom signature is service-http.
I have tried ([^(allow.site)][A-Za-z][0-9])*\x2E([Pp\x50\x70][Hh\x48\x68][Pp\x50\x70])
After configuring this custom signature the IPS complains that all signatures might not fire and signatures should be retired. I've tried to reduce the signatures but the custom signature is still to demanding. My question is, are there any other suggestions as to how this can be achieved?
Thanks for the suggestions. I did upgrade from signatures 280 to 287. The traffic is a webport, in fact it is a custom variable as the amount of ports configured in web ports weren't necessary. I also followed your suggestion in trimming down the regular expresion. Unfortunately I still get the resource warning "Warning: WARNING: Insufficient resources available to combine all currently acti
ve custom regexes. Some alerts will not fire. Consider retiring signatures until
"in fact it is a custom variable as the amount of ports configured in web ports weren't necessary"
You should still use the #WEBPORTS, and also remove the custom variable you have created if it is a subset of #WEBPORTS.
If you have other custom signatures you have already created on the sensor, that could be adding to the issue with resources.
Otherwise, I believe you already have a service request logged, I suggest you forward the information pertaining to this issue through that SR, so we could obtain from you further information about your ASA that could help in determining cause for your issue.
It would help to have the existing configuration of the sensor, and what the actual regular expression you are trying to add.
Providing a sample capture traffic of what you want to be allowed, and what you want the sensor to alarm on, by uploading it to the service request, we could help in writing the custom signature for you.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :