02-15-2007 10:43 AM - edited 03-10-2019 03:28 AM
Hi,
I am implementing ASA's with SSM modules and I wanted confirmation that they can inspect http and block embedded traffic such as Internet Radio from being tunnelled through HTTP.
The Cisco documentation hints at this, but I would like confirmation.
We will be implementing WebSense, but I was hoping the SSM modules would be a good temporary solution.
Thanks in advance.
02-21-2007 11:55 AM
You can create a signature that uses the service http engine and a request regex = .ram, in monitoring -> events. As a action you can either choose "block attacker inline" which blocks user completely or better choose "TCP reset" option.
For Creating Custom Signatures follow the link
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmsigwiz.htm
02-21-2007 06:32 PM
I will give it a try, I didn't realize it used a .ram suffix.
02-22-2007 08:48 PM
Hello,
Are you using AIP-SSM (Intrusion Prevention) or CSC-SSM (Content Security)?
Andrew
02-24-2007 02:29 PM
IPS - SSM
I tried filtering on REGX, but it will get every hit of .ram, so it's not too accurate.
02-24-2007 10:55 PM
The AIP-SSM module is not designed for content filtering. You should probably try CSC-SSM for that, but you can also use Modular Policy Framework (MPF) on the ASA itself to accomplish the task:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/mpc.htm
It's even simpler through ASDM, where you have some pre-defined maps that allow you to block streaming audio/video over HTTP.
Andrew
02-25-2007 06:34 AM
Thanks, that's kind of what I figured. We want the IPS so we will stay with these modules, and use Websense for the filtering.
My understanding of the SSM module is it provide much more inspection capabilities that the MPF inspects (it will do them all but provides more in-depth control)
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: