|
Author
|
Topic: REGEX in IPS
|
DKM
Jr Member
Member # 31823
Rate Member
|
posted January 20, 2012 10:14 PM
Dear Experts
I am configuring a custom filter in IPS, wherein I am asked to block www.abc.com access.
When selected HTTP engine, I see option to specify URI in regex form.
Can I add just www.abc.com there or should it be
"www.abc.com" , or [wW][wW][wW]\.[aA][bB][cC]\.[cC][oO][mM] , or something else
Kindly guide me ![[Frown]](frown.gif)
Regards
KM
Posts: 10 | From: Dubai | Registered: Jan 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted January 21, 2012 08:02 PM
Both are fine. The later should be used, when they ask for case sensitive match.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted January 21, 2012 08:03 PM
This is more apt:
www\.abc\.com
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
DKM
Jr Member
Member # 31823
Rate Member
|
posted January 22, 2012 01:30 AM
Thank you,
In exam if I get a question like this, for NBAR or layer 7 inspect in Zone-FW or ASA, which is the best option to use ...Will Cisco consider answer as wrong if we use simple match www.abc.com ( without inverted comma)
Posts: 10 | From: Dubai | Registered: Jan 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted January 22, 2012 02:08 AM
If use just "." means it will match anything which means "www2abc3com" will also be matched.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
slimak
Specialist
Member # 30837
Rate Member
|
posted January 25, 2012 01:39 PM
Yes it is right when you specify regex (ZBF,IPS,ASA inspection).
But be aware, that nbar doesn't use regex when you specify some uri or host string!
so
class-map BLACK-LIST
match protocol http host "*www.abc.com"
is only correct in this special case.
Posts: 51 | From: SK | Registered: May 2011
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic