From: Henry (henryd31@xxxxxxxx)
Date: Tue Aug 14 2001 - 06:07:09 GMT-3
Just got to implement it and it worked !
Thanks.
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Gordon W Skinner
Sent: Tuesday, August 14, 2001 2:09 AM
To: henryd31@home.com
Cc: ccielab@groupstudy.com
Subject: Re: Code Red - and its workarounds with NBAR
When I was looking at this I found on the Feature sets we are running,
HTTP
protocol is not supported in versions below 12.1(5)T
See below on a 7200 running 12.1(4)E1
VEWAN-R1(config)#class-map match-any http
TEST-R1(config-cmap)#match protocol ?
aarp AppleTalk ARP
apollo Apollo Domain
appletalk AppleTalk
arp IP ARP
bridge Bridging
bstun Block Serial Tunnel
cdp Cisco Discovery Protocol
clns ISO CLNS
clns_es ISO CLNS End System
clns_is ISO CLNS Intermediate System
cmns ISO CMNS
compressedtcp Compressed TCP
decnet DECnet
decnet_node DECnet Node
decnet_router-l1 DECnet Router L1
decnet_router-l2 DECnet Router L2
dlsw Data Link Switching
ip IP
ipx Novell IPX
llc2 llc2
pad PAD links
qllc qllc protocol
rsrb Remote Source-Route Bridging
snapshot Snapshot routing support
stun Serial Tunnel
vines Banyan VINES
vofr voice over Frame Relay packets
xns Xerox Network Services
Regards
Gordon
henryd31@home.com on 08/14/2001 05:41:40 AM
Please respond to henryd31@home.com
To: ccielab@groupstudy.com
cc: (bcc: Gordon W Skinner)
Subject: Code Red - and its workarounds with NBAR
Guys,
Sorry if this is off topic here. I think this is within our studying
depth but if not
Then I apologize ahead of time before someone decides for unneeded
critisizm.
Anyway, I need to change a bit the example from Cisco
s web site to
prevent
The Red Code spreading thru the routers by using NBAR.
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
And here is what I
m trying to do.
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
class-map match-any normal-traffic
match any
!
!
policy-map drop-inbound-http-hacks
class http-hacks
police 10000 1000 1000 conform-action drop exceed-action drop
violate-action drop
class normal-traffic
police 10000000 10000 10000 conform-action transmit exceed-action
transmit
Simply speaking, I
m trying to bypass the marking of the packets (with
either DSCP or Precedence), as they are already identified By the class
map
http-hacks
and enforce the policing right in the first policy-map.
One of the reasons I
m trying to do this, I don
t want to upgrade to
their recommended IOS version >=12.1.5T
I
m running 12.0.18S Service Provider version currently. All this looks
good but I
m not sure if I implement
This whether it will work properly. Can
t test it, not much time left
before I have to implement something there.
Any ideas as to whether this should work, or someone implemented it
would be greatly appreciated.
Thanks and sorry for OT.
**Please read:http://www.groupstudy.com/list/posting.html
This communication is for informational purposes only. It is not
intended as
an offer or solicitation for the purchase or sale of any financial
instrument
or as an official confirmation of any transaction. All market prices,
data
and other information are not warranted as to completeness or accuracy
and
are subject to change without notice. Any comments or statements made
herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:50 GMT-3