Hi DMG When you use NBAR, I think it is not using regex. This is a popular NBAR config to detect attack in the http URLs
Router(config)#*class-map match-any http-hacks *Router(config-cmap)#*match protocol http url "*default.ida*"* Router(config-cmap)#*match protocol http url "*cmd.exe*"* Router(config-cmap)#*match protocol http url "*root.exe*"* http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00800fc176.shtml On ASA, the regex pattern would have been as folllowing *.*default\.ida.** *.*cmd\.exe.** *.*root\.exe.** Check it out, just test the NBAR pattern using ASA test regex tool, I think it will fail. With Regards Kings On Thu, Jun 3, 2010 at 5:00 PM, Dnyaneshwar Gore <[email protected]>wrote: > Hi All, > > Kindly confirm my observations: > > - regex is only required for application inspection specifically HTTP > (and SMTP - email address matching) in ASA & IOS (ZBF) > - regex uses metacharacters to match multiple variants of a text. > - regex used in NBAR class map is different that regex used in > application inspection. For example to match ".jpeg" string, NBAR will use > match > protocol http url *.jpeg command. Whereas regex used in application > inspection will use pattern .*\.com command under parameter-map > configuration. > > Any where else regex is used? > > Kindly share your thoughts. > > > Regards, > DMG > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
