Enabling Advanced HTTP application inspection

mahesh18 — Tue, 12 Mar 2019 02:05:28 GMT

Hi Everyone,

For testing purposes i enable Advanced HTTP application inspection on ASA globally.

Here is the config

policy-map type inspect http http_inspect_map

parameters

protocol-violation action drop-connection log

match not response header content-type application/msword?????????????????????

drop-connection log

Need to know what does statement with ??????????????? have effect on ASA??????????

Enabled it globally

policy-map global_policy

class inspection_default

inspect http http_inspect_

After doing this i can open first page of any website but after that no other page opens up here are the logs

Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34378 for outside:173.194.33.34/443 (173.194.33.34/443) to DMZ:192.168.70.5/29735 (192.168.71.74/29735)

Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34379 for outside:173.194.33.43/80 (173.194.33.43/80) to DMZ:192.168.70.5/29736 (192.168.71.74/29736)

Jun 30 2013 20:22:27: %ASA-6-302013: Built outbound TCP connection 34380 for outside:173.194.33.50/80 (173.194.33.50/80) to DMZ:192.168.70.5/29737 (192.168.71.74/29737)

Jun 30 2013 20:22:28: %ASA-6-302013: Built outbound TCP connection 34381 for outside:173.194.33.50/80 (173.194.33.50/80) to DMZ:192.168.70.5/29738 (192.168.71.74/29738)

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.50:http://t2.gstatic.com/images?q=tbn:ANd9GcRylNXDAKorJERG8q6xKzFCVStYj3R5dqyCHsNoCu__abROPRFFXWFM6z5_y0B_Tm_Ox26cokA

Jun 30 2013 20:22:28: %ASA-5-415008: HTTP - matched not response header content-type application/msword in policy-map http_inspect_map, header matched - Dropping connection from DMZ:192.168.70.5/29737 to outside: 173.194.33.50/80

Jun 30 2013 20:22:28: %ASA-4-507003: tcp flow from DMZ:192.168.70.5/29737 to outside:173.194.33.50/80 terminated by inspection engine, reason - disconnected, dropped packet.

Jun 30 2013 20:22:28: %ASA-6-302014: Teardown TCP connection 34380 for outside:173.194.33.50/80 to DMZ:192.168.70.5/29737 duration 0:00:00 bytes 382 Flow closed by inspection

Jun 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags PSH ACK on interface outside

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=7&gs_id=35&xhr=t&q=rediff.&es_nrs=true&pf=p&biw=1366&bih=622&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&tch=1&ech=7&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=4-fQUd3eMqrpiwL0nYCABQ&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4007158,4007173,4007230,4007244,4007408,4007445,4007533,4007566,4007661,4007668,4007745,4007762,4007763,4007779,4007798,4007804,4007874,4007886,4007892,4007917,4007927,4007942,4008028,4Jun 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags PSH ACK on interface outside

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=8&gs_id=3j&xhr=t&q=rediff.c&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=8&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=9&gs_id=3z&xhr=t&q=rediff.co&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=9&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1

Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/gen_204?v=3&s=web&action=&ei=5OfQUYiCCqbAigKa9ICICg&e=17259,4000116,4001350,4002693,4002855,4003242,4003881,4004320,4004334,4004844,4004949,4004953,4005865,4005875,4006268,4006426,4006442,4006466,4006727,4007055,4007080,4007117,4007158,4007173,4007230,4007244,4007408,4007445,4007533,4007566,4007661,4007668,4007745,4007762,4007763,4007779,4007798,4007804,4007874,4007886,4007892,4007917,4007927,4007942,4008028,4Jun 30 2013 20:22:28: %ASA-5-304001: 192.168.70.5 Accessed URL 173.194.33.55:http://www.google.ca/s?gs_rn=18&gs_ri=psy-ab&cp=10&gs_id=4j&xhr=t&q=rediff.com&es_nrs=true&pf=p&sclient=psy-ab&oq=&gs_l=&pbx=1&bav=on.2,or.r_qf.&bvm=bv.48572450,d.cGE&fp=f5cabcb9513fcfcb&biw=1366&bih=622&tch=1&ech=10&psi=4efQUcL1GcPOiwL3wYAg.1372645345226.1

Jun 30 2013 20:22:28: %ASA-6-106015: Deny TCP (no connection) from 173.194.33.50/80 to 192.168.71.74/29737 flags ACK on interface outside

Need to understand the Config in ReD and logs matched in Red color?

Regards

Mahesh

Enabling Advanced HTTP application inspection

Julio Carvajal — Mon, 01 Jul 2013 05:09:55 GMT

Hello My friend,

policy-map type inspect http http_inspect_map

parameters

protocol-violation action drop-connection log

match not response header content-type application/msword?????????????????????

drop-connection log

That says:

If the ASA sees a HTTP packet with a header host that does not contain an application/msword header response content it will be dropped.

So in the case you see the drops is due to the fact the response does not contain that header,

Did you configure that just for test purposes or is that what you are looking for

Regards

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Enabling Advanced HTTP application inspection

mahesh18 — Mon, 01 Jul 2013 05:13:45 GMT

Hi Julio,

Just for testing purposes.

So when you say look for header msword does this mean when i open the website like say

www.google.com it means that this url should have header msword other wise it will be dropped?

Regards

MAhesh

Enabling Advanced HTTP application inspection

Julio Carvajal — Mon, 01 Jul 2013 05:16:12 GMT

Hello,

The header content-type should be that one, exactly...Otherwise a drop will happen (as configured)

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Enabling Advanced HTTP application inspection

mahesh18 — Mon, 01 Jul 2013 05:21:43 GMT

Hi Julio,

Thanks for answering my question.

Yes sir post is rated as usual.

Regards

Mahesh

Enabling Advanced HTTP application inspection

Julio Carvajal — Mon, 01 Jul 2013 05:24:21 GMT

Great,

Have a great day Mahesh

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

topic Enabling Advanced HTTP application inspection in Network Security

Enabling Advanced HTTP application inspection

Enabling Advanced HTTP application inspection

Enabling Advanced HTTP application inspection

Enabling Advanced HTTP application inspection

Enabling Advanced HTTP application inspection

Enabling Advanced HTTP application inspection