ASA – Regular Expression Matching
Regular expression matching is used for several different applications within the Modular Policy Framework (MPF). Regular expressions is basically text matching, either exact text or multiple variants of a text string. In most cases, whenever you run across named-based policies, you will more than likely need to configure regular expressions. The command “regex” is used to configure regular expressions within the security appliance. We will discuss some of the special characters called metacharacters used to create wildcard matching of text strings below. This is the majority of the metacharacters we will be dealing with.
| Character | Description | Notes |
| ^ | Caret | ^block – “^” means the start of a string. So this pattern matches any string that starts with “block”. Eg: blocktraffic |
| | | Alternation | This will match either string that it separates – eg: traffic|block – this will match both traffic and block. |
| * | Asterisk | This will match any number of the previous character including 0. eg: trafficblo*ck – this will match trafficblck, trafficblock, trafficbloock, trafficblooock, etc. |
| ? | Question Mark | This will match 0 or 1 of the previous character in an expression. eg: trafficblo?ck will match both trafficblock or trafficblck. |
| + | Plus | Almost exactly the same as the Asterisk, except that the previous character will not match 0 – so one or more. eg: trafficblo+ck – this will match trafficblock, trafficbloock, trafficblooock, etc. |
| {x} or {x,} | Repeat Quantifier and Minimum Repeat Quantifier | For {x}, this will repeat exactly x times. eg: trafficblo{5}ck – this will match trafficblooooockFor {x,}, this will repeat at least x times. eg: trafficblo{5,}ck – this will match trafficblock, trafficbloock, trafficblooock, trafficbloooock, and trafficblooooock. |
| [a-d] | Character Range Class | This will match any character in the range. eg: [a-d] – this will match the lower case letters a, b, c, d. [A-DR-Z] – This will match upper case letters A,B,C,D,R,S,T,U,V,W,X,Y,Z. |
| [^abc] | Negated character class | Matches a single character that is not contained within the brackets. For example, [^abc] matches any character other than a, b, or c. [^A-Z] matches any single character that is not an uppercase letter. |
| [abc] | Character Class | Matches any character in the range. [a-z] matches any lowercase letter. You can mix characters and ranges: [abcq-z] matches a, b, c, q, r, s, t, u, v, w, x, y, z, and so does [a-cq-z].The dash (-) character is literal only if it is the last or the first character within the brackets: [abc-] or [-abc]. |
| . | Dot | This is probably the most dangerous wildcard since it matches anything. This can be 1, T , even a space. If you put in h..se it can match horse, house, he se, h1!se, etc. |
| (exp) | Subexpression | This metacharacter will use the characters being surrounded by these parenthesis. Eg – h(ou|or)se will match house or horse. |
| \ | Escape character | This is used to escape out any metacharacters so they can be matched in the regex as if it were a string – eg: say we wanted to use a parenthesis in our regex, we would need to use \( . |
| char | Character | Any character that does not a metacharacter would be a char. Eg, “word” is a char |
| “” | Quotation marks | This will keep any leading or trailing spaces with the character being matched. Eg – “ house “ will keep the leading space as well as the trailing space for matching. |
Just a side note, you can use different metacharacters together for matching as well. Some matching patterns maybe simple but others you can make more complex. If you wanted to match file names that start with “sdm”, you can use “^sdm.*” for a little more complex matching as this will match any word starting with sdm has any character after it at any given length.
So, for an example, we have the following scenario. We would like to prevent users from downloading files from our ftp site that starts with any number and ends in either a .bin or exe. We would have to setup a regex and apply it into MPF. Let’s look at our commands to accomplish this.
regex regex_ftp “^[0-9].*.[bin|exe]”
class-map type regex match-any cmap_files_nodownload
match regex regex_ftp
class-map cmap_ftp_traffic
match port tcp eq 21
policy-map type-inspect ftp pmap_inspect_ftp
match filename regex class cmap_files_nodownload
reset
policy-map global_policy
class cmap_ftp_traffic
inspect ftp strict pmap_inspect_ftp
One last note in regards to regular expression matching. We need to be able to find this on the doc-cd quickly as possible. If we goto the doc-cd (http://www.cisco.com/cisco/web/psa/configure.html), we can find several instances of this wildcard matching. A few ways are shown below:
1) Click on Products –> Security –>Firewall –> Firewall Appliances –>Cisco ASA 5500 series adaptive security appliance –>Reference Guides (on the left had side of sub links) –> Cisco ASA 5500 Series Command Reference, 8.2 –> look up the regex command with the command reference and you will see the table there.
2) Click on Products –> Security –>Firewall –> Firewall Appliances –>Cisco ASA 5500 series adaptive security appliance –> Configuration Guides and TechNotes amd selecting this link –> ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
I hope this entry has been helpful for you and look forward to future entries in regards to the powerful MPF and its configuration. I will be coming up with future scenarios in regards to matching so stay tuned.