topic HTTP Inspection Cisco PIX 525 in Network Security

HTTP Inspection Cisco PIX 525

matthiasbuchholz — Mon, 11 Mar 2019 23:58:44 GMT

I need to filter inbound HTTP requests <outside> to <dmz> headed to www.XYZ.com/XXX/admin/XXX.jsp.

My regex is: regex HACKBLOCK "*/admin/.*\.jsp*"

My class-maps are:

class-map type regex match-any HACKBLOCK_METHOD

match regex GET

class-map XXXXTWBLOCK

match access-list HACKBLOCK_HOSTS

class-map type regex match-any HACKBLOCK_URL

match regex HACKBLOCK

class-map type inspect http match-all HACKBLOCK_FILTER

match request uri regex class HACKBLOCK_URL

class-map inspection_default

match default-inspection-traffic

My policy-maps are:

policy-map type inspect http HACKBLOCK_HTTP

parameters

class HACKBLOCK_FILTER

log

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect netbios

inspect rsh

inspect rtsp

inspect sip

inspect skinny

inspect sqlnet

inspect sunrpc

inspect tftp

inspect xdmcp

inspect dns

inspect h323 ras

class XXXXTWBLOCK

inspect http HACKBLOCK_HTTP

policy-map OUTSIDE

class XXXXTWBLOCK

inspect http HACKBLOCK_HTTP

class class-default

policy-map type inspect dns migrated_dns_map_1

parameters

message-length maximum 1200

As you can see, I added the inspection rule to a seperate class name ENPROTWBLOCK. This matches traffic based on destination of our class C. I see that I am matching traffic in the ACL, but no matches on the HTTP inspection rule:

#sh service-pol inspec http

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Class-map: XXXXTWBLOCK

Inspect: http HACKBLOCK_HTTP, packet 745097, drop 0, reset-drop 0

protocol violations

packet 34206

class HACKBLOCK_FILTER

log, packet 0

enp-amer-clt-pix525-a#

I am generating bogus traffic to http://www.<ourdomain>.com/admin/test.jsp

Any idea whats going on here and why I am not macthing the HTTP uri's ????

Thanks,

Matthias CCIE# 28445

HTTP Inspection Cisco PIX 525

Harish Balakrishnan — Tue, 25 Sep 2012 14:38:25 GMT

Hello Matthias

Can you Make sure that your acl HACKBLOCK_HOSTS properly configured and you are getting hits on the ACL when you are trying ?

regards

Harish.

HTTP Inspection Cisco PIX 525

matthiasbuchholz — Tue, 25 Sep 2012 14:45:02 GMT

I get hits on the ACL. The issue is that the HTTP inspection does not seem to function. Just for my own understanding, the global policy will match inbound traffic arriving on the outside interface right ?

access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65138) 0x6402ac20

enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS

access-list HACKBLOCK_HOSTS; 1 elements

access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65245) 0x6402ac20

enp-amer-clt-pix525-a# sh access-list HACKBLOCK_HOSTS

access-list HACKBLOCK_HOSTS; 1 elements

access-list HACKBLOCK_HOSTS line 1 extended permit ip any 66.192.168.0 255.255.255.0 (hitcnt=65285) 0x6402ac20

HTTP Inspection Cisco PIX 525

matthiasbuchholz — Tue, 25 Sep 2012 14:59:26 GMT

I figured it out !!!

The regular expression was incorrect:

I had:

regex HACKBLOCK "*/admin/.*\.jsp*"

I needed

regex HACKBLOCK ".*/admin/.*\.jsp.*"

now I see matched traffic:

Global policy:

Service-policy: global_policy

Class-map: inspection_default

Class-map: ENPROTWBLOCK

Inspect: http HACKBLOCK_HTTP, packet 25380, drop 0, reset-drop 0

protocol violations

packet 1628

class HACKBLOCK_FILTER

log, packet 2