topic ASA 5510 http filtering with regex in Network Security

ASA 5510 http filtering with regex

GiorgiChubko — Mon, 11 Mar 2019 17:49:24 GMT

I have problem to filter http traffic with regex . URL filtering works fine, but domain name filtering doesn't work correctly. Hire is configuration:

regex MP3Files ".+\.[Mm][Pp][3]"
regex AVIFiles ".+\.[Aa][Vv][Ii]"

regex Domain1 "myspace\.com"
regex Domain2 "facebook\.com"

access-list Inside_Subnet extended permit tcp 172.17.0.0 255.255.0.0 any eq 80
access-list Inside_Subnet extended permit tcp 172.17.0.0 255.255.0.0 any eq 8080

class-map type regex match-any File_Exstension_Class
match regex AVIFiles
match regex MP3Files

class-map type regex match-any Domain_List_Class
match regex Domain1
match regex Domain2

class-map Inside_Subnet
match access-list Inside_Subnet

class-map type inspect http match-any File_Exstensions
match request uri regex class File_Exstension_Class

class-map type inspect http match-any Domain_Class
match request header host regex class Domain_List_Class

policy-map type inspect http Inside_Policy
parameters
class File_Exstensions
drop-connection
class Domain_Class

drop-connection

policy-map inside-policy
class Inside_Subnet
inspect http Inside_Policy

service-policy inside-policy interface inside

Re: ASA 5510 http filtering with regex

Jennifer Halim — Sun, 23 May 2010 04:20:53 GMT

The regex for myspace and facebook should be as follows:

regex Domain1 "\.myspace\.com"
regex Domain2 "\.facebook\.com"

Here is a sample configuration:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

Hope that helps.

Re: ASA 5510 http filtering with regex

GiorgiChubko — Thu, 27 May 2010 11:23:00 GMT

Thanks for help.
Actually it does not block some of the web sites.
I have big regex class map, from that class map some of the web sites aren't blocked.
I done configuration from that example:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
What can be problem?
ASA Software version is 8.2(1).

Re: ASA 5510 http filtering with regex

Dwi Haryanto — Thu, 21 Oct 2010 09:39:40 GMT

hi,

i have test u'r configuration, n i want to block mp3 file, but u'r configuration was fail.

can u tell what that i miss?

Re: ASA 5510 http filtering with regex

Panos Kampanakis — Thu, 21 Oct 2010 17:56:58 GMT

What config are you using? Can you post your class-maps, policy-map and regexes?

Re: ASA 5510 http filtering with regex

GiorgiChubko — Thu, 21 Oct 2010 20:03:17 GMT

Actually this configuration is working in my network (ASA 8.2). You should check this links:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940c5a.shtml

Re: ASA 5510 http filtering with regex

Dwi Haryanto — Fri, 22 Oct 2010 01:38:58 GMT

Hi Giorgi,

thx i think i miss to write letter 's' on class-map type inspect http match-any File_Exstensions, that way i get any thing not work.

once more thx u so much Giorgi