cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
778
Views
0
Helpful
6
Replies

ASA SSM Module inspecting and blocking Internet Radio

bjames
Level 5
Level 5

Hi,

I am implementing ASA's with SSM modules and I wanted confirmation that they can inspect http and block embedded traffic such as Internet Radio from being tunnelled through HTTP.

The Cisco documentation hints at this, but I would like confirmation.

We will be implementing WebSense, but I was hoping the SSM modules would be a good temporary solution.

Thanks in advance.

6 Replies 6

gmarogi
Level 5
Level 5

You can create a signature that uses the service http engine and a request regex = .ram, in monitoring -> events. As a action you can either choose "block attacker inline" which blocks user completely or better choose "TCP reset" option.

For Creating Custom Signatures follow the link

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids11/idmguide/dmsigwiz.htm

I will give it a try, I didn't realize it used a .ram suffix.

Andrew Ossipov
Cisco Employee
Cisco Employee

Hello,

Are you using AIP-SSM (Intrusion Prevention) or CSC-SSM (Content Security)?

Andrew

IPS - SSM

I tried filtering on REGX, but it will get every hit of .ram, so it's not too accurate.

The AIP-SSM module is not designed for content filtering. You should probably try CSC-SSM for that, but you can also use Modular Policy Framework (MPF) on the ASA itself to accomplish the task:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/firewall/mpc.htm

It's even simpler through ASDM, where you have some pre-defined maps that allow you to block streaming audio/video over HTTP.

Andrew

Thanks, that's kind of what I figured. We want the IPS so we will stay with these modules, and use Websense for the filtering.

My understanding of the SSM module is it provide much more inspection capabilities that the MPF inspects (it will do them all but provides more in-depth control)

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: