RE: match protocol http [ url vs mime ]

From: Scott Morris (swm@emanon.com)
Date: Thu Nov 11 2004 - 20:41:20 GMT-3

Closer. :)

The period "." will never be part of the MIME type!!!

Like I said, play with a sniffer.... It's a lot more educational and much
less boring than the rfc's!!! ;)

Scott

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Thursday, November 11, 2004 6:24 PM
To: swm@emanon.com; 'Andy'
Cc: 'Group Study'
Subject: Re: match protocol http [ url vs mime ]

OK, I think I got it.

Tell me if this is correct.

If I match using the url keyword in the command, match prot http url
<string>, then I'm only matching on web traffic that contains <string> in
the url.

So, let's assume that the image you see when you go to the cisco home page
is a bmp image.

If I want to classify on the basis of bmp images and config the following

match prot http url "*.bmp"

that will NOT work because there's no .bmp within the url string itself.
The bmp is "embedded" in the web page.

However, if I do this,

match prot http mime "*.bmp"

that will work because when I use the mime keyword, it looks for the
embedded content in the web pages.

I hope I'm right because otherwise I really dont understand when to use the
url keyword versus the mime keyword.

I apologize for my ignorance about this but I've never created a single web
page in my life and I know nothing more about http except that it's what
used to code web pages.

Thanks, again.

----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
Cc: "'Group Study'" <ccielab@groupstudy.com>
Sent: Thursday, November 11, 2004 5:50 PM
Subject: RE: match protocol http [ url vs mime ]

> No, only the mime will work since the word "images" may or may not be in
> your URL (only if someone stores all graphics in a /images directory
> (instead of /image or something else)...
>
> Take a sniffer sometime (ethereal is good and free!) and look at all the
> web requests that your station makes when you browse the web. Then look
> specifically at the URLs that are requested. Go to a few different sites
> and you'll see the variety on why this is hard.
>
> MIME types are fairly standard.
>
> HTH,
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie2be
> Sent: Thursday, November 11, 2004 4:57 PM
> To: Andy
> Cc: Group Study
> Subject: Re: match protocol http [ url vs mime ]
>
> Andy,
>
> Thanks again for getting back to me.
>
> Just let me make sure I fully understand you.
>
> If I want to block web surfers from seeing any pictures in any format I
> would do this:
>
> class-map IMAGES
> match prot http url "*images*"
> or
> match prot http mime "*images*"
>
> Either one will work, but the 1st one is more efficient. Have I got that
> right?
>
> Now, is it possible using just 1 single match prot http command to specify
> both jpeg and bmp or do I need multiple match prot statements?
>
> For example, will this work?
>
> class-map JPEG-&-BMP
> match prot http mime "*jpeg | *bmp"
>
> Thanks, Tim
>
>
>
> ----- Original Message -----
> From: "Andy" <AndyMrozek@yahoo.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; <swm@emanon.com>; "'Group Study'"
> <ccielab@groupstudy.com>
> Sent: Thursday, November 11, 2004 3:43 PM
> Subject: RE: match protocol http [ url vs mime ]
>
>
> > I have tried both url / mime type ... Both work ,as I have webserver and
> > traffic generator .. In my opionon though I would use mime type as it
> seems
> > to drop it alot faster , and doesnt use as many network resourced , with
a
> > sniffer in the path between client / server you see lots of attempts
from
> > client to keep pulling information when using url type , but only a few
> when
> > using mime type , the only thing I thing about mime type we need to know
> the
> > various image types for example I had done "*image*" and it was blocking
> > .bmp , .jpg, .gif so if you only are required to say block .bmp I think
> then
> > you can use mime type unless there is a way to only block .bmp mime type
> but
> > say let .jpg through...
> >
> > -Andy
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > ccie2be
> > Sent: Thursday, November 11, 2004 12:27 PM
> > To: swm@emanon.com; 'Group Study'
> > Subject: Re: match protocol http [ url vs mime ]
> >
> >
> > Hi Scott,
> >
> > Thanks for getting back to me.
> >
> > Before I posted the questions below I did a google and found the rfc for
> > mime. Here's the link for anyone interested:
> >
> > http://www.mhonarc.org/~ehood/MIME/2045/rfc2045.html
> >
> > I started reading it but after a while my eyes glazed over and I didn't
> find
> > anything that actually helped me figure out whether I should use the url
> or
> > mime parameter of the match prot http command to accomplish this task.
> >
> > Maybe my brain isn't in good working order at the moment, but after
> reading
> > your response, I'm still not sure whether I should use the url or mime
> > parameter in the match protocol http command to classify jpeg's, gif's,
> > mpeg's, etc.
> >
> > So, let's say I want to block web surfers from downloading jpeg's and
> avi's.
> >
> > Would I use
> >
> > match prot http url "*jpeg | *avi"
> >
> > or
> >
> > match prot http mime "*jpeg | *avi"
> >
> > Notice that I used the bar | to specify either jpeg OR avi. Is that OK?
> >
> > Thanks, Tim
> >
> > ----- Original Message -----
> > From: "Scott Morris" <swm@emanon.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 11, 2004 2:32 PM
> > Subject: RE: match protocol http [ url vs mime ]
> >
> >
> > > The protocol type represents a field within the HTTP structures... It
> > will
> > > never look like "*.jpeg". That's a filename call, and within the URL.
> > >
> > > MIME types are "image/jpeg", "image/gif", "video/avi" and things like
> > > that... There's an RFC about Multimedia Independent Mail Extensions
> > (MIME),
> > > but I don't recall what its number is...
> > >
> > > Otherwise, take a look at your File Associations table in Windows and
> > you'll
> > > have an idea for different MIME types and their name.
> > >
> > > HTH,
> > >
> > >
> > > Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service
Provider)
> > > #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications
Specialist,
> > IP
> > > Telephony Support Specialist, IP Telephony Design Specialist, CISSP
> > > CCSI #21903
> > > swm@emanon.com
> > >
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> > > ccie2be
> > > Sent: Thursday, November 11, 2004 12:31 PM
> > > To: Group Study
> > > Subject: match protocol http [ url vs mime ]
> > >
> > > Hi guys,
> > >
> > > I need some help figuring out when to use the "mime" parameter when
> > matching
> > > traffic.
> > >
> > > For example, if I want to apply a policy which filters or restricts
> > traffic
> > > that contains jpeg files which config should I use?
> > >
> > > class-map jpeg
> > > match protocol http url "*.jpeg"
> > >
> > > or
> > >
> > > match protocol http mime "*.jpeg"
> > >
> > >
> > > Also, can regular expressions be used within the quote marks?
> > >
> > > For example, is this OK?
> > >
> > > match prot http mime "*.jpeg | *.jpg | *.mpeg"
> > >
> > >
> > > Any insight or help is greatly appreciated.
> > >
> > > TIA, Tim
> > >
> > >

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3