From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Nov 11 2004 - 21:11:27 GMT-3
OK, I like closer. Closer is a hell of better than farther. So, I'm going
in the right direction and that's good.
So, as far as the concept of url versus mime, I have that correct, right?
I just need to keep in mind that I can never accomplish anything if I use
the period and mime keyword together in a match prot http statement.
And, therefore, like you were saying before if I need to act upon something
that has a period in the string, I know I then have to use the url keyword
instead of the mime.
One last thing regarding syntax:
If I want to have a logical OR are both methods exactly the same?
class-map match-any JPG-OR-MPEG
match prot http url "*.jpeg"
match prot http url "*.mpeg"
class-map match-all JPG-OR-MPEG
match prot http url "*.jpeg|*.mpeg"
I know the first method will work, but I'm not sure about the 2nd method.
In particular, can I use the pipe "|" character like that? Do I need spaces
before and/or after the pipe.
BTW, I like the idea of getting and leaning how to use a free sniffer, but
wouldn't I also need a traffic generator? I suspect that if I didn't create
a controlled environment where I know in advance exactly what traffic is
passing, I would be overwhelmed with so much stuff I had no idea about, I
wouldn't know make to make of it all.
Thanks, again.
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
Cc: "'Group Study'" <ccielab@groupstudy.com>
Sent: Thursday, November 11, 2004 6:41 PM
Subject: RE: match protocol http [ url vs mime ]
> Closer. :)
>
> The period "." will never be part of the MIME type!!!
>
> Like I said, play with a sniffer.... It's a lot more educational and much
> less boring than the rfc's!!! ;)
>
> Scott
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Thursday, November 11, 2004 6:24 PM
> To: swm@emanon.com; 'Andy'
> Cc: 'Group Study'
> Subject: Re: match protocol http [ url vs mime ]
>
> OK, I think I got it.
>
> Tell me if this is correct.
>
> If I match using the url keyword in the command, match prot http url
> <string>, then I'm only matching on web traffic that contains <string> in
> the url.
>
> So, let's assume that the image you see when you go to the cisco home page
> is a bmp image.
>
> If I want to classify on the basis of bmp images and config the following
>
> match prot http url "*.bmp"
>
> that will NOT work because there's no .bmp within the url string itself.
> The bmp is "embedded" in the web page.
>
> However, if I do this,
>
> match prot http mime "*.bmp"
>
> that will work because when I use the mime keyword, it looks for the
> embedded content in the web pages.
>
> I hope I'm right because otherwise I really dont understand when to use
the
> url keyword versus the mime keyword.
>
> I apologize for my ignorance about this but I've never created a single
web
> page in my life and I know nothing more about http except that it's what
> used to code web pages.
>
> Thanks, again.
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
> Cc: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Thursday, November 11, 2004 5:50 PM
> Subject: RE: match protocol http [ url vs mime ]
>
>
> > No, only the mime will work since the word "images" may or may not be in
> > your URL (only if someone stores all graphics in a /images directory
> > (instead of /image or something else)...
> >
> > Take a sniffer sometime (ethereal is good and free!) and look at all
the
> > web requests that your station makes when you browse the web. Then look
> > specifically at the URLs that are requested. Go to a few different
sites
> > and you'll see the variety on why this is hard.
> >
> > MIME types are fairly standard.
> >
> > HTH,
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Thursday, November 11, 2004 4:57 PM
> > To: Andy
> > Cc: Group Study
> > Subject: Re: match protocol http [ url vs mime ]
> >
> > Andy,
> >
> > Thanks again for getting back to me.
> >
> > Just let me make sure I fully understand you.
> >
> > If I want to block web surfers from seeing any pictures in any format I
> > would do this:
> >
> > class-map IMAGES
> > match prot http url "*images*"
> > or
> > match prot http mime "*images*"
> >
> > Either one will work, but the 1st one is more efficient. Have I got
that
> > right?
> >
> > Now, is it possible using just 1 single match prot http command to
specify
> > both jpeg and bmp or do I need multiple match prot statements?
> >
> > For example, will this work?
> >
> > class-map JPEG-&-BMP
> > match prot http mime "*jpeg | *bmp"
> >
> > Thanks, Tim
> >
> >
> >
> > ----- Original Message -----
> > From: "Andy" <AndyMrozek@yahoo.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; <swm@emanon.com>; "'Group Study'"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 11, 2004 3:43 PM
> > Subject: RE: match protocol http [ url vs mime ]
> >
> >
> > > I have tried both url / mime type ... Both work ,as I have webserver
and
> > > traffic generator .. In my opionon though I would use mime type as it
> > seems
> > > to drop it alot faster , and doesnt use as many network resourced ,
with
> a
> > > sniffer in the path between client / server you see lots of attempts
> from
> > > client to keep pulling information when using url type , but only a
few
> > when
> > > using mime type , the only thing I thing about mime type we need to
know
> > the
> > > various image types for example I had done "*image*" and it was
blocking
> > > .bmp , .jpg, .gif so if you only are required to say block .bmp I
think
> > then
> > > you can use mime type unless there is a way to only block .bmp mime
type
> > but
> > > say let .jpg through...
> > >
> > > -Andy
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > ccie2be
> > > Sent: Thursday, November 11, 2004 12:27 PM
> > > To: swm@emanon.com; 'Group Study'
> > > Subject: Re: match protocol http [ url vs mime ]
> > >
> > >
> > > Hi Scott,
> > >
> > > Thanks for getting back to me.
> > >
> > > Before I posted the questions below I did a google and found the rfc
for
> > > mime. Here's the link for anyone interested:
> > >
> > > http://www.mhonarc.org/~ehood/MIME/2045/rfc2045.html
> > >
> > > I started reading it but after a while my eyes glazed over and I
didn't
> > find
> > > anything that actually helped me figure out whether I should use the
url
> > or
> > > mime parameter of the match prot http command to accomplish this task.
> > >
> > > Maybe my brain isn't in good working order at the moment, but after
> > reading
> > > your response, I'm still not sure whether I should use the url or mime
> > > parameter in the match protocol http command to classify jpeg's,
gif's,
> > > mpeg's, etc.
> > >
> > > So, let's say I want to block web surfers from downloading jpeg's and
> > avi's.
> > >
> > > Would I use
> > >
> > > match prot http url "*jpeg | *avi"
> > >
> > > or
> > >
> > > match prot http mime "*jpeg | *avi"
> > >
> > > Notice that I used the bar | to specify either jpeg OR avi. Is that
OK?
> > >
> > > Thanks, Tim
> > >
> > > ----- Original Message -----
> > > From: "Scott Morris" <swm@emanon.com>
> > > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'"
> > > <ccielab@groupstudy.com>
> > > Sent: Thursday, November 11, 2004 2:32 PM
> > > Subject: RE: match protocol http [ url vs mime ]
> > >
> > >
> > > > The protocol type represents a field within the HTTP structures...
It
> > > will
> > > > never look like "*.jpeg". That's a filename call, and within the
URL.
> > > >
> > > > MIME types are "image/jpeg", "image/gif", "video/avi" and things
like
> > > > that... There's an RFC about Multimedia Independent Mail Extensions
> > > (MIME),
> > > > but I don't recall what its number is...
> > > >
> > > > Otherwise, take a look at your File Associations table in Windows
and
> > > you'll
> > > > have an idea for different MIME types and their name.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service
> Provider)
> > > > #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications
> Specialist,
> > > IP
> > > > Telephony Support Specialist, IP Telephony Design Specialist, CISSP
> > > > CCSI #21903
> > > > swm@emanon.com
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > > ccie2be
> > > > Sent: Thursday, November 11, 2004 12:31 PM
> > > > To: Group Study
> > > > Subject: match protocol http [ url vs mime ]
> > > >
> > > > Hi guys,
> > > >
> > > > I need some help figuring out when to use the "mime" parameter when
> > > matching
> > > > traffic.
> > > >
> > > > For example, if I want to apply a policy which filters or restricts
> > > traffic
> > > > that contains jpeg files which config should I use?
> > > >
> > > > class-map jpeg
> > > > match protocol http url "*.jpeg"
> > > >
> > > > or
> > > >
> > > > match protocol http mime "*.jpeg"
> > > >
> > > >
> > > > Also, can regular expressions be used within the quote marks?
> > > >
> > > > For example, is this OK?
> > > >
> > > > match prot http mime "*.jpeg | *.jpg | *.mpeg"
> > > >
> > > >
> > > > Any insight or help is greatly appreciated.
> > > >
> > > > TIA, Tim
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3