09-04-2007 07:35 AM - edited 03-10-2019 03:46 AM
I am trying to block access to urls that include a certain file name as part of an exploit. Here is a sample URL:
http://www.someplace.com/index.php?exec%20udp.pl
What is usually common in the exploits I am looking to block is the udp.pl. Here is what I have so far, but the regex, even though it tests good so far in ASDM does not fire.
regex udp.pl "udp"
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match port tcp eq www
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
inspect ftp strict
policy-map type inspect http http_inspect
parameters
protocol-violation action drop-connection log
match request uri regex udp.pl
drop-connection log
policy-map outside-policy
class outside-class
inspect http http_inspect
!
service-policy global_policy global
service-policy outside-policy interface outside
fw1# show service-policy
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns migrated_dns_map_1, packet 122579, drop 37, reset-drop 0
Inspect: esmtp _default_esmtp_map, packet 65958, drop 0, reset-drop 0
Inspect: ftp strict, packet 31696, drop 50, reset-drop 43
Interface outside:
Service-policy: outside-policy
Class-map: outside-class
Inspect: http http_inspect, packet 716, drop 0, reset-drop 0
09-10-2007 11:27 AM
HTTP Inspection and URL Inspection are completely independent services. Enhanced HTTP inspection is configured via an 'http-map', which is then applied to the 'inspect htttp' statement.Both URL Filtering (via Websense and N2H2), and Java/ActiveX filtering are independant of enabling/disabling 'inspect http'.
Check this bug details: CSCsd80188
try this configuration guide for HTTP inspection.
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/inspect.html#wp1144258
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide