ASA - Inspecting HTTP traffic to URL

ciscors · ‎07-02-2007

I'm trying to block access to lycos.com and doing it this way but it's not working

regex regex_lycos "www.lycos.com"

class-map cmap_test

class-map type regex match-any cmap_regex1

match regex regex_lycos

class-map type inspect http match-all http_traffic

match request uri regex class cmap_regex1

!

policy-map type inspect http pmap_http

parameters

class http_traffic

reset log

policy-map pmap3

class cmap_test

inspect http pmap_http

!

service-policy pmap3 interface inside

service-policy pmap3 interface outside

Here is the output of my 'show service-policy' commands after going to lycos.com. The connection was allowed and nothing was blocked

H(config)# sh service-policy int inside

Interface inside:

Service-policy: pmap3

Class-map: cmap_test

Inspect: http pmap_http, packet 0, drop 0, reset-drop 0

H(config)# sh service-policy int ou

Interface outside:

Service-policy: pmap3

Class-map: cmap_test

Inspect: http pmap_http, packet 0, drop 0, reset-drop 0

a-vazquez · ‎07-06-2007

The enhanced HTTP inspection feature, which is also known as an application firewall and is available when you configure an HTTP map can help prevent attackers from using HTTP messages for circumventing network security policy.

Refer this link:

http://www.cisco.com/en/US/docs/security/asa/asa71/configuration/guide/inspect.html#wp1431359

sridharvaidyanathan · ‎08-22-2007

Hi,

Try replacing the following command,

regex regex_lycos "www.lycos.com"

with

regex regex_lycos "w{3}\.lycos\.com"

Rate it if it helps.

Regards,

Sridhar.