Fwd: Re: class-map on border router for virus

From: Ling Jiang (linjiang@xxxxxxxxx)
Date: Tue Nov 13 2001 - 23:32:33 GMT-3

• Next message: Brad Ellis: "Re: Re: class-map on border router for virus"
• Previous message: Bryan Ginman: "RE: Router reboot : BGp default originate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Helo, All

Pls share the newest class-map match-any http-hacks.

Thanks and Best regards//Jiang Ling

>From: "Brad Ellis" <bellis@ccbootcamp.com>
>To: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>,
> "Martin, Chris"
> <chris@pacinter.net>, <ccielab@groupstudy.com>
>Cc: "Jeff K." <jeffbk@austin.rr.com>
>Subject: Re: class-map on border router for virus
>Date: Wed, 19 Sep 2001 02:26:55 -0400
>Organization: Network Learning Inc
>X-Mailer: Microsoft Outlook Express 5.50.4807.1700
>Sender: nobody@groupstudy.com
>Reply-To: "Brad Ellis" <bellis@ccbootcamp.com>
>
>Here's my working config (with thanks to John Kaberna and Chris Martin) on a
>2610 router:
>
>
>ip cef
>
>class-map match-any http-hacks
> match protocol http url "*default.ida*"
> match protocol http url "*x.ida*"
> match protocol http url "*.ida*"
> match protocol http url "*cmd.exe*"
> match protocol http url "*root.exe*"
> match protocol http url "*_vti_bin*"
> match protocol http url "*_mem_bin*"
> match protocol http mime "*readme.exe*"
> match protocol http mime "*readme.eml*"
>
>policy-map mark-inbound-http-hacks
> class http-hacks
> set ip dscp 1
>
>interface Serial0/0
> ip access-group 101 in
> service-policy input mark-inbound-http-hacks
>
>interface Ethernet0/0
> ip access-group 101 out
>
>access-list 101 deny ip any any dscp 1 log
>access-list 101 permit ip any any
>
>thanks,
>-Brad Ellis
>CCIE#5796
>Network Learning Inc
>bellis@optsys.net
>used Cisco: www.optsys.net
>
>----- Original Message -----
>From: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>
>To: "Przemyslaw Karwasiecki" <karwas@ifxcorp.com>; "Martin, Chris"
><chris@pacinter.net>; <ccielab@groupstudy.com>
>Cc: "Jeff K." <jeffbk@austin.rr.com>
>Sent: Wednesday, September 19, 2001 1:18 AM
>Subject: RE: class-map on border router for virus
>
>
> > Answering my own post:
> >
> > ACL needs to be applied on egress, and be "out"
> >
> > Now I have it working!
> >
> > Przemek
> >
> > -----Original Message-----
> > From: Przemyslaw Karwasiecki [mailto:karwas@ifxcorp.com]
> > Sent: Wednesday, September 19, 2001 12:48 AM
> > To: Martin, Chris; ccielab@groupstudy.com
> > Cc: Jeff K.
> > Subject: RE: class-map on border router for virus
> >
> >
> > Hi Chris,
> >
> > In my case classification policy seems to work:
> >
> > USMIANOC3662x1#sh policy-map interface Serial1/0:0
> > (... snip ...)
> > QoS Set
> > ip dscp 1
> > Packets marked 1539
> > (... snip ...)
> >
> > But for some unexplained reason access list applied to the
> > same interface doesn't:
> >
> > USMIANOC3662x1#sh access-lists 102
> > Extended IP access list 102
> > deny ip any any dscp 1 log
> > permit ip any any (226583 matches)
> > USMIANOC3662x1#
> >
> >
> > Any ideas why?
> >
> > Przemek
> >
> > PS.
> > Opps, I've forgotten IOS ver:
> > USMIANOC3662x1#sh ver
> > Cisco Internetwork Operating System Software
> > IOS (tm) 3600 Software (C3660-P-M), Version 12.2(2)T, RELEASE SOFTWARE
> > (fc1)
> >
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > Martin, Chris
> > Sent: Tuesday, September 18, 2001 6:31 PM
> > To: ccielab@groupstudy.com
> > Cc: Jeff K.
> > Subject: class-map on border router for virus
> >
> >
> > Hi Group:
> > As we all know there has been much discussion on the current
> > virus
> > floating around. I have a class-map statement on my border router that
>seems
> > to be doing the trick, from what my sniffer tells me. Anyway, try it out
>and
> > see if it works for you, if you have anything to add, please email me so
> > that
> > i may benefit from your findings as well:
> >
> > class-map match-any http-hacks
> > match protocol http url "*default.ida*"
> > match protocol http url "*x.ida*"
> > match protocol http url "*.ida*"
> > match protocol http url "*cmd.exe*"
> > match protocol http url "*root.exe*"
> > match protocol http url "*_vti_bin*"
> > match protocol http url "*_mem_bin*"
> > match protocol http mime "*readme.exe*"
> > match protocol http mime "*readme.eml*"
> >
> >
> > policy-map mark-inbound-http-hacks
> > class http-hacks
> > set ip dscp 1
> >
> > int ser 1/1
> > ip access-group 110 in
> >
> >
> > access-list 110 deny ip any any dscp 1 log
> > access-list 110 permit ip any any
> > **Please read:http://www.groupstudy.com/list/posting.html
> > **Please read:http://www.groupstudy.com/list/posting.html
>**Please read:http://www.groupstudy.com/list/posting.html
Name: Jiang Ling
System Engineer
EC-NSP team
Tel No. 0086-21-53966161x4547
Mobile: 13701808109

• Next message: Brad Ellis: "Re: Re: class-map on border router for virus"
• Previous message: Bryan Ginman: "RE: Router reboot : BGp default originate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 21 2002 - 06:45:15 GMT-3