topic You have to use regular in Network Security

URL Filtering on ASA

johnlloyd_13 — Tue, 12 Mar 2019 07:47:09 GMT

hi all,

one of our site has an Ipoque DPI device that failed recently (currently on fail-to-wire).

it would take a while for it to be replaced since it's a remote location.

and we don't have the budget to do websense or IPS (FirePower).

i would like to implement URL filtering on the ASA 5525-X while waiting for its RMA.

below is what i did for testing on an ASA 5505.

if i type "thepiratebay.org" the web session is reset, but when i type www.thepiratebay.org, the session goes through.

also while the 3 domains are blocked, ALL domains that is NOT on the blacklist are also being blocked.

i would appreciate if someone could further advise.

regex Facebook “.facebook.com”
regex Youtube “.youtube.com”
regex PirateBay “.thepiratebay.org”
regex Google “.google.com”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay

class-map type regex match-any WhiteList
match regex Google

class-map type inspect http match-all AllowDomains
match request header host regex class WhiteList

class-map type inspect http match-all BlockDomains
match request header host regex class BlackList

class-map httptraffic
match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class AllowDomains
class BlockDomains
drop-connection

policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY

service-policy inside-policy interface inside

You have to use regular

Philip D'Ath — Tue, 24 May 2016 03:23:14 GMT

You have to use regular expressions. And it is worse than that. If you type "thePiratebay.org" you will also find it works.

You would need to use something more like:

regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rT][gG]”

DNS filtering is sometimes much easier. Just block all DNS lookups for the domain instead. This has the bonus of stopping all protocols trying to use it. Note if the machine has already done a DNS lookup it will be cached. So clear your DNS cache when testing.

Quick example:

regex domain_logmein.com “\.logmein\.com”

class-map type regex match-any DomainBlockList
 description Blocked Domains
 match regex domain_logmein.com
 
policy-map type inspect dns PM-DNS-inspect
 parameters
  message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log
 
policy-map global_policy
 class inspection_default
  inspect dns PM-DNS-inspect

hi,

johnlloyd_13 — Tue, 24 May 2016 03:37:08 GMT

hi,

your suggested regex seemed to work but ONLY for blocked domains.

the config still blocks other allowed domains. i can access google but NOT yahoo even though i explicitly added it on the whitelist. below is the update config.

cisco.com also worked even though it's not on the whitelist. i've also tried random sites, some allowed (i.e. verizon.com) and some were NOT (i.e att.com).

any idea?

regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”
regex Google “.*\.[gG][oO][oO][gG][lL][eE]\.[cC][oO][mM]”
regex Yahoo “.*\.[yY][aA][hH][oO][oO]\.[cC][oO][mM]”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay

class-map type regex match-any WhiteList
match regex Google
match regex Yahoo

class-map type inspect http match-any AllowDomains
match request uri regex class WhiteList

class-map type inspect http match-any BlockDomains
match request uri regex class BlackList

class-map httptraffic
match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class AllowDomains
class BlockDomains
drop-connection

policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY

service-policy inside-policy interface inside

Why do you need to define

Philip D'Ath — Tue, 24 May 2016 03:42:06 GMT

Why do you need to define AllowDomains? Why not just have a BlockDomains and allow everything else?

hi,

johnlloyd_13 — Tue, 24 May 2016 04:15:36 GMT

hi,

i've tried that before but it blocks 'some' websites.

i tried it again and still the same. the config below blocks yahoo.com and att.com.

can you help take a look and advise?

regex Facebook “.*\.[fF][aA][cC][eE][bB][oO][oO][kK]\.[cC][oO][mM]”
regex Youtube “.*\.[yY][oO][uU][tT][uU][bB][eE]\.[cC][oO][mM]”
regex PirateBay “.*\.[tT][hH][eE][pP][iI][rR][aA][tT][eE][bB][aA][yY]\.[oO][rR][gG]”

access-list inside_mpc extended permit tcp any any eq www
access-list inside_mpc extended permit tcp any any eq https

class-map type regex match-any BlackList
match regex Facebook
match regex Youtube
match regex PirateBay

class-map type inspect http match-all BlockDomains <<< ALSO TRIED match-any
match request header host regex class BlackList <<< ALSO TRIED match request uri regex class BlackList

class-map httptraffic
match access-list inside_mpc

policy-map type inspect http HTTP_POLICY
parameters
protocol-violation action drop-connection
class BlockDomains
drop-connection

policy-map inside-policy
class httptraffic
inspect http HTTP_POLICY

service-policy inside-policy interface inside

Last time I did this myself,

Philip D'Ath — Tue, 24 May 2016 04:28:22 GMT

Last time I did this myself, I used the domain method with DNS inspection.

Example:

regex domain_trademe.co.nz "trademe\.co\.nz"
regex domain_youtube.com "youtube\.com"
regex domain_facebook.com "facebook\.com"

class-map type regex match-any DomainBlockList
 description Blocked Domains
 match regex domain_facebook.com
 match regex domain_trademe.co.nz
 match regex domain_youtube.com

policy-map type inspect dns PM-DNS-inspect
 parameters
  message-length maximum 512
  match domain-name regex class DomainBlockList
  drop-connection log

policy-map global_policy
 class inspection_default
  inspect dns PM-DNS-inspect

hi,

johnlloyd_13 — Tue, 24 May 2016 05:17:06 GMT

hi,

thanks! your DNS inspect config works like a charm!