Dears,
In technologies workbook, I tried to apply the configuration for the section "Preventing Application Attacks Using MPF".
I applied the following configuration for FTP inspection:
class-map FTP_CMAP
match port tcp eq ftp
class-map type regex match-any FTP_REGEX
match regex CISCO
match regex c100
match regex c200
class-map type inspect ftp match-any INSPECT_CMAP
match request-command dele
policy-map type inspect ftp INSPECT_PMAP
parameters
mask-banner
mask-syst-reply
class INSPECT_CMAP
reset
match filename regex class FTP_REGEX
reset
policy-map FTP_PMAP
class FTP_CMAP
inspect ftp strict INSPECT_PMAP
service-policy FTP_PMAP interface inside
Regarding the command delete, everything works fine and the session is closed. However with regex, i am trying to copy a file starting with "cisco", or "c100" or "c200" but the session is still open and the file is copied successfully.
Here is the output for the command: sh service-policy interface inside inspect ftp
ciscoasa# sh service-policy interface inside inspect ftp
Interface inside:
Service-policy: FTP_PMAP
Class-map: FTP_CMAP
Inspect: ftp strict INSPECT_PMAP, packet 383, drop 8, reset-drop 4, v6-fail-close 0
Cmd in reply mode drop 8
mask-banner enabled
mask-syst-reply enabled
class INSPECT_CMAP (match-any)
Match: request-command dele , 3 packets
reset, packet 3
match filename regex class FTP_REGEX
reset, packet 0
Please advise.