02-28-2013 07:06 AM - last edited on 03-25-2019 05:50 PM by ciscomoderator
Hello dear all,
I need to log HTTP post request to webserver standing behind asa firewall, BUT I need to log variables that are inside the post request. I am able to match method post and request body that contains the request and the variables itself but the log file only shows the message about the match not the request body itself.
!
regex matchall "."
!
class-map type regex match-any Logregex
match regex matchall
!
class-map type inspect http match-all Loginspect
match request body regex class Logregex
!
policy-map type inspect http HTTP_POST_GET
parameters
match request method post
log
match request method get
log
class Loginspect
log
!
This config produces fllowing syslog messages:
for post
%ASA-5-415009: HTTP - matched request method post in policy-map HTTP_POST_GET, method matched from
same for get and body
Any advise would be very welcome, including just a link to a material to read.
Thanks in advance.
03-04-2013 05:50 PM
Hello David,
Unfortunetely the log keyword used there will only tell you that a match has been done, it will no go any further by specifing the variables used in the HTTP POST.
As far as I know there is no such command to accomplish that on the ASA, You could try with an AIP-SSM in conjuction with the ASA and besides genering an alert also generating a packet-capture so you could analize each of the POST TCP HTTP to your server
Regards,
Julio Carvajal
Remember to rate all of the helpful posts
03-06-2013 01:13 AM
Unfortunately packet capture is not the option, because it requires more resuources than available on the receiving end and the POST caputure/analysis is not one-time thing. Plus we have no AIP-SSM at our disposal =)))
Thanks for the reply.
03-06-2013 08:32 AM
Hello David,
Yes, then I do not see a way to do this
Hey man my pleasure to help,
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide