Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

http uri inspect help

I am trying to block access to urls that include a certain file name as part of an exploit. Here is a sample URL:

http://www.someplace.com/index.php?exec%20udp.pl

What is usually common in the exploits I am looking to block is the udp.pl. Here is what I have so far, but the regex, even though it tests good so far in ASDM does not fire.

regex udp.pl "udp"

class-map inspection_default

match default-inspection-traffic

class-map outside-class

match port tcp eq www

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns migrated_dns_map_1

inspect esmtp

inspect ftp strict

policy-map type inspect http http_inspect

parameters

protocol-violation action drop-connection log

match request uri regex udp.pl

drop-connection log

policy-map outside-policy

class outside-class

inspect http http_inspect

!

service-policy global_policy global

service-policy outside-policy interface outside

fw1# show service-policy

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Inspect: dns migrated_dns_map_1, packet 122579, drop 37, reset-drop 0

Inspect: esmtp _default_esmtp_map, packet 65958, drop 0, reset-drop 0

Inspect: ftp strict, packet 31696, drop 50, reset-drop 43

Interface outside:

Service-policy: outside-policy

Class-map: outside-class

Inspect: http http_inspect, packet 716, drop 0, reset-drop 0

1 REPLY
Anonymous
N/A

Re: http uri inspect help

HTTP Inspection and URL Inspection are completely independent services. Enhanced HTTP inspection is configured via an 'http-map', which is then applied to the 'inspect htttp' statement.Both URL Filtering (via Websense and N2H2), and Java/ActiveX filtering are independant of enabling/disabling 'inspect http'.

Check this bug details: CSCsd80188

try this configuration guide for HTTP inspection.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1144258

201
Views
0
Helpful
1
Replies
CreatePlease to create content