Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
5
Helpful
3
Replies

ASA - HTTP POST LOGGING

David Tsulaia
Level 1
Level 1

‎02-28-2013 07:06 AM - last edited on ‎03-25-2019 05:50 PM by Community Manager

Hello dear all,

I need to log HTTP post request to webserver standing behind asa firewall, BUT I need to log variables that are inside the post request. I am able to match method post and request body that contains the request and the variables itself but the log file only shows the message about the match not the request body itself.

!

regex matchall "."

!

class-map type regex match-any Logregex

match regex matchall

!

class-map type inspect http match-all Loginspect

match request body regex class Logregex

!

policy-map type inspect http HTTP_POST_GET

parameters

match request method post

  log

match request method get

  log

class Loginspect

  log

!

This config produces fllowing syslog messages:

for post

%ASA-5-415009: HTTP - matched request method post in policy-map HTTP_POST_GET, method matched from

same for get and body

Any advise would be very welcome, including just a link to a material to read.

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎03-04-2013 05:50 PM

Hello David,

Unfortunetely the log keyword used there will only tell you that a match has been done, it will no go any further by specifing the variables used  in the HTTP POST.

As far as I know there is no such command to accomplish that on the ASA, You could try with an AIP-SSM in conjuction with the ASA and besides genering an alert also generating a packet-capture so you could analize each of the POST TCP HTTP to your server

Regards,

Julio Carvajal

Remember to rate all of the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

David Tsulaia
Level 1
Level 1
In response to Julio Carvajal

‎03-06-2013 01:13 AM

Unfortunately packet capture is not the option, because it requires more resuources than available on the receiving end and the POST caputure/analysis is not one-time thing. Plus we have no AIP-SSM at our disposal =)))

Thanks for the reply.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to David Tsulaia

‎03-06-2013 08:32 AM

Hello David,

Yes, then I do not see a way to do this

Hey man my pleasure to help,

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card