cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
858
Views
0
Helpful
0
Replies

regular expression matching of custome http headers

I am working on an existing configuration that applies a regular expression policy-map to inspect the HTTP headers of all HTTP packets destined for a single web server.  Currently we check to make sure two custom headers exist in the HTTP 1.1 packet and if they do not we drop the packet.  We now have another partner who needs to access the web server and we want to check for a second pair of headers. My problem is finding either some kind of logic operator in the policy map to say [ IF (BOTH "header-a-1" and "header-a-2") OR (BOTH "header-b-1" and "header-b-2") ] or modifying my current config with some better regular expressions.

I am working on an ASA 5520 running 8.4(3).  This is my current configuration and it works for checking only the original pair of custom headers:

regex header1 "header-a-1"

regex header2 "header-a-2"

access-list whitelist extended deny tcp 5.0.0.0 255.0.0.0 host 10.0.0.10 eq www

access-list whitelist extended permit tcp any host 10.0.0.10 eq www

class-map type inspect http match-all header-class

match not request header regex header1 count gt 0

match not request header regex header2 count gt 0

class-map whitelist-class

match access-list whitelist

policy-map type inspect http header-policy

parameters

class header-class

  drop-connection

policy-map global_policy

...

...

class whitelist-class

  inspect http header-policy

service-policy global_policy global

**we want to whitelist some source addresses, hence the whitelist ACL

With out some way to implement logic operators, the only option I see to have the firewall look for either pair is to write a better regex  expression that will check for both headers in one statement. This is  where I am having issues. I can not figure out a regex expression that  will look for both 'header-a-1" and "header-a-2". For example I tried  modifying the config to the following but could not get it to work:

regex headera1 "(header-a-1)(.)*(header-a-2)"

regex headera2 "(header-a-2)(.)*(header-a-1)"

regex headerb1 "(header-b-1)(.)*(header-b-2)"

regex headerb2 "(header-b-2)(.)*(header-b-1)"

class-map type inspect http match-any header-class

match not request header regex headera1 count gt 0

match not request header regex headera2 count gt 0

match not request header regex headerb1 count gt 0

match not request header regex headerb2 count gt 0

Thanks,

Travis