Configuring Special Actions For Application Inspections; Creating A Regular Expression - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Special Actions for Application Inspections
Configuring Special Actions for Application Inspections
Modular Policy Framework lets you configure special actions for many application inspections. When
you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as
defined in an inspection policy map.
See the
inspection policy maps.
An inspection policy map consists of one or more of the following elements. The exact options available
for an inspection policy map depends on the application.
•
•
•
Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure
to create and test the regular expressions before you configure the policy map, either singly or grouped
together in a regular expression class map.
The default inspection policy map configuration includes the following commands, which sets the
maximum message length for DNS packets to be 512 bytes:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
There are other default inspection policy maps such as policy-map type inspect esmtp
Note
_default_esmtp_map. These default policy maps are created implicitly by the command inspect
protocol. For example, inspect esmtp implicitly uses the policy map "_default_esmtp_map." All the
default policy maps can be shown by using the show running-config all policy-map command.
This section describes how to create additional inspection policy maps, and includes the following
topics:
•
•
•
•
Creating a Regular Expression
A regular expression matches text strings either literally as an exact string, or by using metacharacters
so you can match multiple variants of a text string. You can use a regular expression to match the content
of certain application traffic; for example, you can match a URL string inside an HTTP packet.
Cisco Security Appliance Command Line Configuration Guide
21-6
"Configuring Application Inspection" section on page 25-5
Traffic matching command—You can define a traffic matching command directly in the inspection
policy map to match application traffic to criteria specific to the application, such as a URL string,
for which you then enable actions.
Inspection class map—(Not available for all applications. See the CLI help for a list of supported
applications.) An inspection class map includes traffic matching commands that match application
traffic with criteria specific to the application, such as a URL string. You then identify the class map
in the policy map and enable actions. The difference between creating a class map and defining the
traffic match directly in the inspection policy map is that you can create more complex match criteria
and you can reuse class maps.
Parameters—Parameters affect the behavior of the inspection engine.
Creating a Regular Expression, page 21-6
Creating a Regular Expression Class Map, page 21-9
Identifying Traffic in an Inspection Class Map, page 21-10
Defining Actions in an Inspection Policy Map, page 21-11
Chapter 21
Using Modular Policy Framework
for a list of applications that support
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
