NBAR - THIS IS SO COOL!

From: Ken.Farrington@barclayscapital.com
Date: Tue Oct 07 2003 - 18:03:23 GMT-3

• Next message: Paul Young: "OT: CCIE opportunities in Taiwan"
• Previous message: William Lijewski: "Re: Context Based ACLs and CBAC (content based access control)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Guys,

Just playing around with NBAR and this is sooo powerful. (simple example
for clarity)
This is cool stuff, for virus protection etc etc using MIME, URLs etc etc
etc

It's been a day of complete Q0S so this rounds it up for today.

!
class-map match-all http_interface
  match protocol http url "/exec/show/interfaces/*"
class-map match-all http_log
  match protocol http url "/exec/show/log/*"
!
!
policy-map cisco
  class http_interface
   set ip precedence 5
  class http_log
   set ip precedence 1
!
interface Ethernet0/0
 ip address 142.220.23.2 255.255.255.0
 service-policy output cisco
 no ip mroute-cache
!

So just using the ip http server funtion on a cisco router and connecting
from a PC.

----------------------------------------------------------------------------

---
I hit the 1st URL "show interface"  (url and change DSCP)
Frame 50 (476 on wire, 476 captured)
    Arrival Time: Oct  7, 2003 21:28:05.979311000
    Time delta from previous packet: 0.095759000 seconds
    Time relative to first packet: 13.456475000 seconds
    Frame Number: 50
    Packet Length: 476 bytes
    Capture Length: 476 bytes
Ethernet II
    Destination: 00:00:0c:5c:b7:1a (00:00:0c:5c:b7:1a)
    Source: 00:04:27:4c:d2:a0 (00:04:27:4c:d2:a0)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 142.220.21.99 (142.220.21.99), Dst Addr:
142.220.23.1 (142.220.23.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xa0 (DSCP 0x28: Class Selector 5; ECN:
0x00)
        1010 00.. = Differentiated Services Codepoint: Class Selector 5
(0x28)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 462
    Identification: 0x086f
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 124
    Protocol: TCP (0x06)
    Header checksum: 0xb252 (correct)
    Source: 142.220.21.99 (142.220.21.99)
    Destination: 142.220.23.1 (142.220.23.1)
Transmission Control Protocol, Src Port: 1113 (1113), Dst Port: 80 (80),
Seq: 1515601437, Ack: 1933202586, Len: 422
    Source port: 1113 (1113)
    Destination port: 80 (80)
    Sequence number: 1515601437
    Next sequence number: 1515601859
    Acknowledgement number: 1933202586
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16616
    Checksum: 0xf11d (correct)
Hypertext Transfer Protocol
    GET /exec/show/interfaces/CR HTTP/1.1\r\n
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
*/*\r\n
    Referer: http://142.220.23.1\r\n
    Accept-Language: en-gb\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; YComp
5.0.2.6)\r\n
    Host: 142.220.23.1\r\n
    Connection: Keep-Alive\r\n
    Authorization: Basic OmNpc2Nv\r\n
    \r\n
----------------------------------------------------------------------------
---
I hit the 2nd "show log" (and change DSCP to another value)
Frame 42 (469 on wire, 469 captured)
    Arrival Time: Oct  7, 2003 21:30:25.621869000
    Time delta from previous packet: 0.113529000 seconds
    Time relative to first packet: 13.965903000 seconds
    Frame Number: 42
    Packet Length: 469 bytes
    Capture Length: 469 bytes
Ethernet II
    Destination: 00:00:0c:5c:b7:1a (00:00:0c:5c:b7:1a)
    Source: 00:04:27:4c:d2:a0 (00:04:27:4c:d2:a0)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 142.220.21.99 (142.220.21.99), Dst Addr:
142.220.23.1 (142.220.23.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x20 (DSCP 0x08: Class Selector 1; ECN:
0x00)
        0010 00.. = Differentiated Services Codepoint: Class Selector 1
(0x08)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 455
    Identification: 0x08a0
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 124
    Protocol: TCP (0x06)
    Header checksum: 0xb2a8 (correct)
    Source: 142.220.21.99 (142.220.21.99)
    Destination: 142.220.23.1 (142.220.23.1)
Transmission Control Protocol, Src Port: 1114 (1114), Dst Port: 80 (80),
Seq: 1550512713, Ack: 2620524933, Len: 415
    Source port: 1114 (1114)
    Destination port: 80 (80)
    Sequence number: 1550512713
    Next sequence number: 1550513128
    Acknowledgement number: 2620524933
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16616
    Checksum: 0xfa47 (correct)
Hypertext Transfer Protocol
    GET /exec/show/log/CR HTTP/1.1\r\n
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
*/*\r\n
    Referer: http://142.220.23.1\r\n
    Accept-Language: en-gb\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; YComp
5.0.2.6)\r\n
    Host: 142.220.23.1\r\n
    Connection: Keep-Alive\r\n
    Authorization: Basic OmNpc2Nv\r\n
    \r\n
----------------------------------------------------------------------------
---
Hit the 3rd "show tech-supp"  unchanged dscp
Frame 70 (478 on wire, 478 captured)
    Arrival Time: Oct  7, 2003 21:44:40.912014000
    Time delta from previous packet: 0.114374000 seconds
    Time relative to first packet: 25.863971000 seconds
    Frame Number: 70
    Packet Length: 478 bytes
    Capture Length: 478 bytes
Ethernet II
    Destination: 00:00:0c:5c:b7:1a (00:00:0c:5c:b7:1a)
    Source: 00:04:27:4c:d2:a0 (00:04:27:4c:d2:a0)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 142.220.21.99 (142.220.21.99), Dst Addr:
142.220.23.1 (142.220.23.1)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 464
    Identification: 0x095b
    Flags: 0x04
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 124
    Protocol: TCP (0x06)
    Header checksum: 0xb204 (correct)
    Source: 142.220.21.99 (142.220.21.99)
    Destination: 142.220.23.1 (142.220.23.1)
Transmission Control Protocol, Src Port: 1115 (1115), Dst Port: 80 (80),
Seq: 1764092502, Ack: 2397754494, Len: 424
    Source port: 1115 (1115)
    Destination port: 80 (80)
    Sequence number: 1764092502
    Next sequence number: 1764092926
    Acknowledgement number: 2397754494
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 16616
    Checksum: 0xf615 (correct)
Hypertext Transfer Protocol
    GET /exec/show/tech-support/cr HTTP/1.1\r\n
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
*/*\r\n
    Referer: http://142.220.23.1\r\n
    Accept-Language: en-gb\r\n
    Accept-Encoding: gzip, deflate\r\n
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; YComp
5.0.2.6)\r\n
    Host: 142.220.23.1\r\n
    Connection: Keep-Alive\r\n
    Authorization: Basic OmNpc2Nv\r\n
    \r\n
----------------------------------------------------------------------------
---
------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.
Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.
------------------------------------------------------------------------
***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***

• Next message: Paul Young: "OT: CCIE opportunities in Taiwan"
• Previous message: William Lijewski: "Re: Context Based ACLs and CBAC (content based access control)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Nov 24 2003 - 07:52:58 GMT-3