From: Dmitry Volkov (dmitry.volkov@rogers.com)
Date: Mon Jan 26 2004 - 22:40:54 GMT-3
Thanks Vilmos I also tested it.
Works fine on the same interface with direction input
no "ip nbar protocol-discovery" necessary. Only test.asp blocked, default
IIS5 iisstart.asp was not blocked
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*test.asp*" <------------!!!
!
policy-map drop-hacks
class http-hacks
police 1000000 31250 31250 conform-action drop exceed-action drop
violate-action drop
!
interface Ethernet0/0
description OUTSIDE INTERFACE
ip address 130.100.26.6 255.255.255.224
service-policy input drop-hacks
r6#sh policy-map interface e0/0
Ethernet0/0
Service-policy input: drop-hacks
Class-map: http-hacks (match-any)
11 packets, 3270 bytes <------------------------------ !!!!
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*cmd.exe*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*root.exe*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "*test.asp*"
11 packets, 3270 bytes <--------------!!!!
5 minute rate 0 bps
police:
1000000 bps, 31250 limit, 31250 extended limit
conformed 11 packets, 3270 bytes; action: drop <----- !!!!
exceeded 0 packets, 0 bytes; action: drop
violated 0 packets, 0 bytes; action: drop
conformed 0 bps, exceed 0 bps, violate 0 bps
Class-map: class-default (match-any)
475 packets, 45379 bytes <------------------------ !!!!
5 minute offered rate 1000 bps, drop rate 0 bps
Match: any
r6#
Thanks Everybody,
Dmitry
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On
> Behalf Of Szabo, Vilmos
> Sent: Monday, January 26, 2004 4:33 AM
> To: 'Dmitry Volkov'; 'Chris_M'; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: RE: NBAR with class based policing
>
>
> Dmitry, All
>
> below is my simple config with nbar classification and
> policing of codered
> on same input interface (without any extra coloring and an
> additional ACL on
> a seperate interface):
>
> !
> class-map match-any test
> match protocol http url "*root.exe*"
> match protocol http url "*x.ida*"
> !
> policy-map one
> class test
> police cir 8000
> conform-action drop
> exceed-action drop
> violate-action drop
> !
> interface Ethernet3/1
> ip address 172.16.0.2 255.255.255.0
> service-policy input one
> duplex half
> !
>
> and the result after an attack:
>
> R5#sh policy-map interface
> Ethernet3/1
>
> Service-policy input: one
>
> Class-map: test (match-any)
> 6 packets, 1217 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*root.exe*"
> 6 packets, 1217 bytes
> <---------------------------
> 5 minute rate 0 bps
> Match: protocol http url "*x.ida*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> police:
> cir 8000 bps, bc 1500 bytes, be 1500 bytes
> conformed 6 packets, 1217 bytes; actions:
> <--------------------
> drop
> exceeded 0 packets, 0 bytes; actions:
> drop
> violated 0 packets, 0 bytes; actions:
> drop
> conformed 0 bps, exceed 0 bps, violate 0 bps
>
> Class-map: class-default (match-any)
> 111 packets, 12579 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> R5#
>
> Regards,
>
> Vilmos
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Szabo, Vilmos
> Sent: 23 January 2004 10:15
> To: 'Dmitry Volkov'; 'Chris_M'; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: RE: NBAR with class based policing
>
>
> Hi All,
>
> I do not think we need to classify one type of traffic on one
> interface just
> in order to drop this marked traffic on another interface in
> this particular
> scenario.
>
> Yah, we can fly from London to Paris through New York, but there is a
> shorter way.
>
> So going back to the original question of Dmitry, I say your original
> configuration was completely right, even if the CCO sample
> did it in an
> unnecessarily complicated way.
>
> Yes it is true that you can classify and police traffic with a single
> policy-map on a single interface. (What is the classification
> method, nbar,
> acl ... or whatever is absolutely irrelevant for the policer).
>
> Just check the command reference:
> http://www.cisco.com/univercd/cc/td/doc/product/software/ios12
> 2/122cgcr/fqos
> _c/fqcprt4/qcfpoli.htm
>
> Let me know if you have a different opinion.
>
> Thank you!
>
> Vilmos
>
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> Dmitry Volkov
> Sent: 22 January 2004 20:47
> To: 'Chris_M'; ccielab@groupstudy.com
> Cc: security@groupstudy.com
> Subject: RE: NBAR with class based policing
>
>
> Thank you very much !
> However class-default covers ALL other traffic. Isn't it ?
>
> Router#sh policy-map interface s0/0
> Ethernet0/0
>
> Service-policy input: mark-inbound-http-hacks
>
> Class-map: http-hacks (match-any)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: protocol http url "*default.ida*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> Match: protocol http url "*cmd.exe*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> Match: protocol http url "*root.exe*"
> 0 packets, 0 bytes
> 5 minute rate 0 bps
> QoS Set
> dscp 1
> Packets marked 0
>
> Class-map: class-default (match-any)
> 68 packets, 8617 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> Router#
>
> Dmitry
>
> > -----Original Message-----
> > From: Chris_M [mailto:cmartin007@msn.com]
> > Sent: Thursday, January 22, 2004 3:37 PM
> > To: dmitry.volkov@rogers.com; ccielab@groupstudy.com
> > Cc: security@groupstudy.com
> > Subject: Re: NBAR with class based policing
> >
> >
> > hi:
> > yes, you need to mark the packets somehow so the policy
> > knows what to do
> > with the traffic. Also, i would mak ALL other traffic to
> > default, so the
> > policy knows what to do with those as well.
> >
> >
> > ----- Original Message -----
> > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > To: "'Chris_M'" <cmartin007@msn.com>; <ccielab@groupstudy.com>
> > Cc: <security@groupstudy.com>
> > Sent: Thursday, January 22, 2004 12:32 PM
> > Subject: RE: NBAR with class based policing
> >
> >
> > > Chris,
> > >
> > > Agree, I missed "ip nbar protocol discovery".
> > > About classification: Are You saying NBAR is strictly
> classification
> > method
> > > (not compatible with policing) and I need something like this :
> > >
> > > Classification on outside:
> > >
> > > Router(config)#ip cef
> > > Router(config)#class-map match-any http-hacks
> > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > Router(config-cmap)#match protocol http url "*root.exe*"
> > >
> > > Router(config)#policy-map mark-inbound-http-hacks
> > > Router(config-pmap)#class http-hacks
> > > Router(config-pmap)#set ip dscp 1
> > > Router(config)#interface serial 0/0
> > > Router(config)#Description OUTSIDE INTERFACE
> > > Router(config-if)#service-policy input mark-inbound-http-hacks
> > > Router(config-if)#ip nbar protocol discovery
> > > ==================================
> > > Policing on inside::
> > >
> > > Router(config)#class-map match-any codered-marked
> > > Router(config-cmap)#match ip dscp 1
> > >
> > > Router(config)#policy-map drop-inbound-http-hacks
> > > Router(config-pmap)#class codered-marked
> > > Router(config-pmap)#police 1000000 31250 31250 conform-action drop
> > > exceed-action drop violate-action drop
> > > Router(config)#interface Ethernet 0/0
> > > Router(config)#Description INSIDE INTERFACE
> > > Router(config-if)#service-policy output drop-inbound-http-hacks
> > >
> > > Thank You,
> > > Dmitry
> > >
> > > > -----Original Message-----
> > > > From: Chris_M [mailto:cmartin007@msn.com]
> > > > Sent: Thursday, January 22, 2004 3:11 PM
> > > > To: Dmitry Volkov; ccielab@groupstudy.com
> > > > Cc: security@groupstudy.com
> > > > Subject: Re: NBAR with class based policing
> > > >
> > > >
> > > > Dmitrv:
> > > > You need to have the ip nbar protocol discovery
> > command also.
> > > > Further you need another class map to assign a value to the
> > > > nbar class map.
> > > > For example, i would mark the nbar url with dscp of cs, then
> > > > drop dscp cs in
> > > > your policy map.
> > > >
> > > > in your example, how is the policy map going to know what to
> > > > drop? The polic
> > > > command doesnt use nbar.
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Dmitry Volkov" <dmitry.volkov@rogers.com>
> > > > To: <ccielab@groupstudy.com>
> > > > Cc: <security@groupstudy.com>
> > > > Sent: Thursday, January 22, 2004 11:34 AM
> > > > Subject: NBAR with class based policing
> > > >
> > > >
> > > > > Hi,
> > > > >
> > > > > If I want to use NBAR with class based policing against
> > stuff like
> > > > codered -
> > > > > Is it enough to have ?:
> > > > >
> > > > > Router(config)#class-map match-any http-hacks
> > > > > Router(config-cmap)#match protocol http url "*default.ida*"
> > > > > Router(config-cmap)#match protocol http url "*cmd.exe*"
> > > > > Router(config-cmap)#match protocol http url "*root.exe*"
> > > > > Router(config)#policy-map drop-inbound-http-hacks
> > > > > Router(config-pmap)#class http-hacks
> > > > > Router(config-pmap)#police 1000000 31250 31250
> > conform-action drop
> > > > > exceed-action drop violate-action drop
> > > > > Router(config)#interface serial 0/0
> > > > > Router(config)#Description OUTSIDE INTERFACE
> > > > > Router(config-if)#service-policy input drop-inbound-http-hacks
> > > > >
> > > > > Example here
> > > > >
> > > > http://www.cisco.com/en/US/products/hw/routers/ps359/products_
> > > > tech_note09186
> > > > > a00800fc176.shtml#methodc
> > > > > looks strange: Description of steps 1)-5) contradicts with
> > > > config they
> > > > > place...
> > > > > They talk about 2 policies : inbound on outside interface for
> > > > classification
> > > > > of traffic and outbound for policing:
> > > > > "Note that you must apply a separate policy to the outbound
> > > > interface. You
> > > > > cannot apply a single policy that both marks the "Code Red"
> > > > packets and
> > > > > drops them"
> > > > >
> > > > > but config depicts inbound policing on outside interface,
> > > > why do I need to
> > > > > mark them when I just want to drop...
> > > > >
> > > > > Is config above correct ??
> > > > >
> > > > > Thank You
> > > > > Dmitry
>
> ______________________________________________________________
> _________
> Please help support GroupStudy by purchasing your study
> materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Feb 02 2004 - 09:07:50 GMT-3