I was actually doing some research on DDOS attacks and what the ASA is capable of, when I came across this little known feature. Regex or regular expressions are used to match text strings or patterns in text. My thought though in how I could use it was to actually protect the very site you are reading. Now if you have ever hosted a public web site, you will know all to well just how many people are out there trying to access your server every single day. They are relentless.

Now of course there are application firewalls which I of course use on my word press sites (Thumbs up to the fantastic Wordfence) but I will never be updating my word press site over the web so would of course never have the need to login via the plain text HTTP. (God forbid) So I decided why not just block any muppet at the firewall itself that even tries to access the wp-login.php page. Now we’re talking. (And yes I’m quite aware I could set up TLS but so far I can’t be bothered)


The configuration is actually very simple and is based on the ASA MPF or ‘modular policy framework.’ Simply remembered as identify, apply and activate. This is the very configuration I have in use on my firewall.

regex attackstring "wp-login.php"

access-list HTTP_Attack remark *** Block attempted wp-login.php login ***
access-list HTTP_Attack extended permit tcp any4 object Reverse-Proxy eq www

class-map Web-Attack
 match access-list HTTP_Attack
policy-map type inspect http HTTP-Attack
 match request uri regex attackstring
 match request args regex attackstring

policy-map Police_Internet-Traffic
 class Web-Attack
  inspect http HTTP-Attack

service-policy InternetTraffic-Policy interface outside

As you can see, you start with the regular expression itself and then create the access list to apply the traffic to, the traffic in my case is all web traffic to my reverse proxy. The next stage is the class-map which references the access-list to match traffic. The policy-map inspects the HTTP traffic and says if i see wp-login.php drop the connection, no arguments.  The class is added to a policy-map and told to inspect web traffic, this is finally applied to an interface or the global policy if required. In my case it is tied to an interface as it does a number of things and I don’t need to block my access! Remember you can only have a single policy-map per interface and a global policy but many classes per policy-map. This of course will only work for http traffic as https traffic is encrypted e.g. the ASA would not be able to inspect it.

Go on though, give it a try. If you have asimilar situation it may just be what you’re after.

Cisco ASA regex blocking
Tagged on:                 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.