topic Blocking any HTTP URLs that contain IPs (but not domain-names) in Network Security

Blocking any HTTP URLs that contain IPs (but not domain-names)

Delete Account — Mon, 11 Mar 2019 20:42:05 GMT

Based on: https://supportforums.cisco.com/docs/DOC-1268

I have tried...

regex blockex1 "/test/"

regex blockex2 "cisco\.com"

regex blockex3 "\d*\.\d*\.\d*\.\d*"

regex blockex4 "(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\."

regex blockex6 "^http://\d*\.\d*\.\d*\.\d*(/|$)"

regex blockex7 "http://\d*\.\d*\.\d*\.\d*"

class-map type inspect http match-any block-url-class

match request uri regex blockex7 <--- I've tried each of the ones above individually here

policy-map type inspect http block-url-policy

parameters

class block-url-class

drop-connection log

policy-map global_policy

class inspection_default

inspect http block-url-policy

service-policy global_policy global

...What I'm trying to accomplish is prevent any site from being visited by IP address directly.

For example I want http://www.example.com to work but http://192.0.32.10 to be blocked.

The practical applicaiton for this is so clever students cannot bypass our DNS-based internet filter (as implemented by systems like DNS Redirector, OpenDNS, and others)

Basically I need to ensure only a URL will a domain name will load, but not a URL with an IP address. There is no good reason anyone should be accessing sites by IP in our environment, in the rare case we need that I would make a DNS record for it.

Based on the above I have experienced...

blockex1 - works for blocking any URL with /test/ in it, ok, so I know my regex blocking is possible/working

blockex2 - works for blocking any URL with cisco.com in it, ok, so I know my regex blocking is possible/working

blockex3 blocks everything, nobody can surf anywhere, not what I want

blockex4 blocks everything, nobody can surf anywhere, not what I want

blockex6 does nothing, not what I want

blockex7 does nothing, not what I want

Any suggestions?? I tried different variants becuase I could not verify if all special meaning regex characters were supported by the ASA.

Currently the only way I am able to accomplish this is with a BHO object in the browser, changes to which are locked out by AD group-policy, but I have only found this solution for IE - I'd like to provide other browsers 😕

Our DNS-based blacklist has over 12000 keywords, blocking even more than that in currently active domain-names and even future, yet to be registered, suspicious domains. Adding these all to the ASA is not practical.

Is there any other network appliance that can do this? Or have I uncovered a bug in ASA's filtering URLs via regex?

Re: Blocking any HTTP URLs that contain IPs (but not domain-name

Shrikant Sundaresh — Fri, 03 Jun 2011 05:59:38 GMT

Hi JP,

I think with a slight modification to blockex3, you should be able to achieve what you are trying.

You currently have: regex blockex3 "\d*\.\d*\.\d*\.\d*"

However, * means 0 or more. This means that the regex would match "...", "2.3.4.", and many other non ip addresses as well.

(Though I am still clueless as to why it would block all traffic.)

The symbol + means 1 or more, and should match ip addresses only.

So please try the following regex and let me know if it works: regex blockex3 "\d+\.\d+\.\d+\.\d+"

Hope this helps.

-Shrikant

P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks

Re: Blocking any HTTP URLs that contain IPs (but not domain-name

Delete Account — Fri, 03 Jun 2011 13:51:52 GMT

I tried regex blockex3 "\d+\.\d+\.\d+\.\d+" as you suggested, but that ended up blocking eveything (nobody could surf anywhere)

Any other ideas?

Re: Blocking any HTTP URLs that contain IPs (but not domain-name

Delete Account — Mon, 06 Jun 2011 20:47:16 GMT

It would seem that regex blocking should never include the http:// or https:// part of the URL, is that correct? can someone confirm that's how it's supposed to work on the ASA?

If I turn on logging in ASDM I can see my URLs with a domain, or with an IP, go flying by, but I always notice that an IP is out in front before the http:// is the whole line being checked against a regex? If that's the case, I think it's broken, but I can see why everything would come up blocked with a regex like "\d+\.\d+\.\d+\.\d+" then.