ASA防火墙11 应用层检测

 

class-map type inspect ---> policy-map type inspect ---> policy-map ---> service-policy

class-map---->policy-map---->service-policy

·    正则表达式： regulay expressions

 

·    组正则表达式：

ciscoasa(config)# regex myregex1 cisco1\.com

ciscoasa(config)# regex myregex2 cisco2\.com

ciscoasa(config)# class-map type regex match-any myclassr

ciscoasa(config-cmap)# match regex myregex1

ciscoasa(config-cmap)# match regex myregex2

 

ciscoasa# test regex cisco.com "cisco\.com" // 测试

 

ciscoasa(config)# class-map ?

configure mode commands/options:

 WORD < 41 char class-map name

 type            Specifies the type of class-map //type 里面定义的用在 class 类中 ， policy 里面的用法一致

 

·    //http 默认的 80 替换成 8080

ciscoasa(config)# class-map http8080

ciscoasa(config-cmap)# match port tcp eq 8080

ciscoasa(config)# policy-map mypolicy

ciscoasa(config-pmap)# class http8080

ciscoasa(config-pmap-c)# inspect http

ciscoasa(config)# service-policy mypolicy interface inside

 

·    // 同时检测 80 和 8080

ciscoasa(config)# class-map http8080

ciscoasa(config-cmap)# match port tcp eq 8080

ciscoasa(config)# class-map http80

ciscoasa(config-cmap)# match port tcp eq 80

ciscoasa(config)# policy-map mypolicy

ciscoasa(config-pmap)# class http8080

ciscoasa(config-pmap-c)# inspect http

ciscoasa(config-pmap)# class http80

ciscoasa(config-pmap-c)# inspect http

ciscoasa(config)# service-policy mypolicy interface inside

 

-------------------------------- 案例 -----------------------------------------

ciscoasa(config)# class-map type inspect http myhttp

 

ciscoasa(config)# policy-map type inspect http myinpolicy

ciscoasa(config-pmap)# class myhttp

ciscoasa(config-pmap-c)# drop-connection

 

ciscoasa(config)# policy-map mypolicy

ciscoasa(config-pmap)# class class-default

ciscoasa(config-pmap-c)# inspect http myinpolicy

 

ciscoasa(config)# service-policy mypolicy interface inside

-----------------------------------------------------------------------------