Regular Expression on Cisco ASA


How to match text strings either literally as an exact string, or by the use of meta-characters so you can match multiple variants of a text string. example, you can match a URL string inside an HTTP packet.
Note: Use Ctrl+V in order to escape all of the special characters in the CLI, such as question mark (?) or a tab. For example, type d[Ctrl+V]g in order to enter d?g in the configuration.

Extensions such as .exe, .com, .bat to be captured

regex BlockEXT ".*\.([Ee][Xx][Ee]|[Cc][Oo][Mm]|[Bb][Aa][Tt]) HTTP/1.[01]"  

AND/OR URLs with domain name

regex domainYAHOO "\.yahoo\.com"  
regex domainMySpace "\.myspace\.com"  
regex YouTube "\.youtube\.com"  

AND/OR Captures the application header and type of content

regex contenttype "Content-Type"  
regex applicationheader "application/.*"  

Applying the above configurations to Modular Policy Framework (MPF) is straight forward.

First we need to create an access list

access-list InsideTowww permit tcp any any eq www  

Second apply the regex to new BlockDomains MPF

class-map type regex match-any BlockDomains  
match regex domainYAHOO  
match regex domainMySpace  
match regex domainYouTube  

Identified and inspect traffic by class we created BlockDomains we created above

class-map type inspect http match-all BlockDomainsMPF  
match request header host regex class BlockDomains  

Create another MPF to match the applications extensions such .exe

class-map type regex match-any EXTBlockList  
match regex BlockEXT  

Inspect the captured traffic for the EXTBlockList class

class-map inspection_default  
match default-inspection-traffic

class-map type inspect http match-all AppHeaderClass  
match response header regex contenttype regex applicationheader  

Create a class to match the filtered traffic by ACL

class-map HTTPTraffic  
match access-list InsideTowww  

Inspect the identified for EXTBlockList class

class-map type inspect http match-all BlockEXTClass  
match request uri regex class EXTBlockList  

Define the actions such as drop, reset or log in the inspection policy map.

Create a new policy-map

policy-map type inspect http http_inspection_policy  
  protocol-violation action drop-connection
class AppHeaderClass  
  drop-connection log
match request method connect  
  drop-connection log
class BlockDomainsMPF  
  reset log
class BlockEXTClass  
  reset log

Map the inspection policy map to the class “HTTPTraffic” under the policy map created for the inside network traffic.

policy-map inside-policy  
class HTTPTraffic  
  inspect http http_inspection_policy

Apply the policy to the interface

service-policy inside-policy interface inside  

Good Luck!

Hassan El-Masri

Network Consultant Engineer

comments powered by Disqus