I have tried...
regex blockex1 "/test/"
regex blockex2 "cisco\.com"
regex blockex3 "\d*\.\d*\.\d*\.\d*"
regex blockex4 "(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\.(0|1|2|3|4|5|6|7|8|9)*\."
regex blockex6 "^http://\d*\.\d*\.\d*\.\d*(/|$)"
regex blockex7 "http://\d*\.\d*\.\d*\.\d*"
class-map type inspect http match-any block-url-class
match request uri regex blockex7 <--- I've tried each of the ones above individually here
policy-map type inspect http block-url-policy
inspect http block-url-policy
service-policy global_policy global
...What I'm trying to accomplish is prevent any site from being visited by IP address directly.
The practical applicaiton for this is so clever students cannot bypass our DNS-based internet filter (as implemented by systems like DNS Redirector, OpenDNS, and others)
Basically I need to ensure only a URL will a domain name will load, but not a URL with an IP address. There is no good reason anyone should be accessing sites by IP in our environment, in the rare case we need that I would make a DNS record for it.
Based on the above I have experienced...
blockex1 - works for blocking any URL with /test/ in it, ok, so I know my regex blocking is possible/working
blockex2 - works for blocking any URL with cisco.com in it, ok, so I know my regex blocking is possible/working
blockex3 blocks everything, nobody can surf anywhere, not what I want
blockex4 blocks everything, nobody can surf anywhere, not what I want
blockex6 does nothing, not what I want
blockex7 does nothing, not what I want
Any suggestions?? I tried different variants becuase I could not verify if all special meaning regex characters were supported by the ASA.
Currently the only way I am able to accomplish this is with a BHO object in the browser, changes to which are locked out by AD group-policy, but I have only found this solution for IE - I'd like to provide other browsers :-/
Our DNS-based blacklist has over 12000 keywords, blocking even more than that in currently active domain-names and even future, yet to be registered, suspicious domains. Adding these all to the ASA is not practical.
Is there any other network appliance that can do this? Or have I uncovered a bug in ASA's filtering URLs via regex?
I think with a slight modification to blockex3, you should be able to achieve what you are trying.
You currently have: regex blockex3 "\d*\.\d*\.\d*\.\d*"
However, * means 0 or more. This means that the regex would match "...", "2.3.4.", and many other non ip addresses as well.
(Though I am still clueless as to why it would block all traffic.)
The symbol + means 1 or more, and should match ip addresses only.
So please try the following regex and let me know if it works: regex blockex3 "\d+\.\d+\.\d+\.\d+"
Hope this helps.
P.S.: Please mark the question as answered if it has been resolved. Do rate helpful posts. Thanks
I tried regex blockex3 "\d+\.\d+\.\d+\.\d+" as you suggested, but that ended up blocking eveything (nobody could surf anywhere)
Any other ideas?
If I turn on logging in ASDM I can see my URLs with a domain, or with an IP, go flying by, but I always notice that an IP is out in front before the http:// is the whole line being checked against a regex? If that's the case, I think it's broken, but I can see why everything would come up blocked with a regex like "\d+\.\d+\.\d+\.\d+" then.