We have a case where we need to deny incoming traffic on the outside interface containing HTTP/1.0 requests. Im not sure if it has to be scripted or the inspection maps for HTTP can manage this.
Help would be apprieciated.
Are you in a situation where the http 1.0 request is leaking the private ip of your server? is that yu u want to block it??
thx for our reply
We have a 1 to 1 nat.
But no not really, it was due to an attack on port 80 where the attacker used massive GET -> HTTP/1.0, i know the risks of filtering out HTTP/1.0(google search I believe uses HTTP/1.0 ), the attack has stopped by an apache server block so it's not critical, but for cases in the future i would like to filter any aspect i choose for port 80.
Sof if anyone could give me an example of an inspectmap where microfiltering on port 80 is used for filtering out HTTP/1.0 it would be great
I tested this on my ASA and it appears to work. I tested by changing the "about:config" on my firefox for network.http.version from 1.1 to 1.0.
access-list inside_http extended permit tcp 192.168.2.0 255.255.255.0 any eq www
regex http10 "HTTP/1.0"
match access-list inside_http
class-map type inspect http match-all deny_http_1.0
match request args regex http10
policy-map type inspect http inspect_http_with_blocking
inspect http inspect_http_with_blocking
I don't think it would be a good idea to run this all the time. But if you do get hit again, you should be able to put it in place quickly to mitigate the attack.