RE: match protocol http [ url vs mime ]

From: Scott Morris (swm@emanon.com)
Date: Thu Nov 11 2004 - 22:21:13 GMT-3

• Next message: ccie2be: "Re: match protocol http mime (types)"
• Previous message: reo@chavallos.net: "Re: match protocol http [ url vs mime ]"
• Maybe in reply to: ccie2be: "match protocol http [ url vs mime ]"
• Next in thread: ccie2be: "Re: match protocol http [ url vs mime ]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you put a sniffer on your laptop, then cruise a few web sites, then YOU
are generating the traffic. :)

You appear to have the idea about url versus mime a bit there, but I'm not
entirely sure it's completely sunk in yet! That will sink in more with the
sniffer trace!

When you request a web page, the basic HTML (mime type text/html) that you
get back will contain a list of all the graphics and other things you need
to request. Your web browser will make additional outgoing requests (which
would be URL's matching things you have listed). Be aware that your jpeg's
may be ".jpg" or ".jpeg" and MPEGs may be ".mpg" or ".mpeg"...

The information you get coming back in have a content type as part of the
HTML header. That includes a MIME information set. Like "image/jpeg" or
"movie/mpeg".

Since you are filtering a text string that may include spaces you put the
quotes around things. As for the | command, if it is inside the quotes it
will be treated like a text character and therefore will not work in the
method you envision. You're better off with a match-any class-map!

I hope this helps a bit more, but seriously play with the sniffer. :)
Things aren't always as complicated as the RFCs make them out to seem!

Scott

-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Thursday, November 11, 2004 7:11 PM
To: swm@emanon.com; 'Andy'
Cc: 'Group Study'
Subject: Re: match protocol http [ url vs mime ]

OK, I like closer. Closer is a hell of better than farther. So, I'm going
in the right direction and that's good.

So, as far as the concept of url versus mime, I have that correct, right?

I just need to keep in mind that I can never accomplish anything if I use
the period and mime keyword together in a match prot http statement.

And, therefore, like you were saying before if I need to act upon something
that has a period in the string, I know I then have to use the url keyword
instead of the mime.

One last thing regarding syntax:

If I want to have a logical OR are both methods exactly the same?

class-map match-any JPG-OR-MPEG
match prot http url "*.jpeg"
match prot http url "*.mpeg"

class-map match-all JPG-OR-MPEG
match prot http url "*.jpeg|*.mpeg"

I know the first method will work, but I'm not sure about the 2nd method.
In particular, can I use the pipe "|" character like that? Do I need spaces
before and/or after the pipe.

BTW, I like the idea of getting and leaning how to use a free sniffer, but
wouldn't I also need a traffic generator? I suspect that if I didn't create
a controlled environment where I know in advance exactly what traffic is
passing, I would be overwhelmed with so much stuff I had no idea about, I
wouldn't know make to make of it all.

Thanks, again.

----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
Cc: "'Group Study'" <ccielab@groupstudy.com>
Sent: Thursday, November 11, 2004 6:41 PM
Subject: RE: match protocol http [ url vs mime ]

> Closer. :)
>
> The period "." will never be part of the MIME type!!!
>
> Like I said, play with a sniffer.... It's a lot more educational and much
> less boring than the rfc's!!! ;)
>
> Scott
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Thursday, November 11, 2004 6:24 PM
> To: swm@emanon.com; 'Andy'
> Cc: 'Group Study'
> Subject: Re: match protocol http [ url vs mime ]
>
> OK, I think I got it.
>
> Tell me if this is correct.
>
> If I match using the url keyword in the command, match prot http url
> <string>, then I'm only matching on web traffic that contains <string> in
> the url.
>
> So, let's assume that the image you see when you go to the cisco home page
> is a bmp image.
>
> If I want to classify on the basis of bmp images and config the following
>
> match prot http url "*.bmp"
>
> that will NOT work because there's no .bmp within the url string itself.
> The bmp is "embedded" in the web page.
>
> However, if I do this,
>
> match prot http mime "*.bmp"
>
> that will work because when I use the mime keyword, it looks for the
> embedded content in the web pages.
>
> I hope I'm right because otherwise I really dont understand when to use
the
> url keyword versus the mime keyword.
>
> I apologize for my ignorance about this but I've never created a single
web
> page in my life and I know nothing more about http except that it's what
> used to code web pages.
>
> Thanks, again.
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
> Cc: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Thursday, November 11, 2004 5:50 PM
> Subject: RE: match protocol http [ url vs mime ]
>
>
> > No, only the mime will work since the word "images" may or may not be in
> > your URL (only if someone stores all graphics in a /images directory
> > (instead of /image or something else)...
> >
> > Take a sniffer sometime (ethereal is good and free!) and look at all
the
> > web requests that your station makes when you browse the web. Then look
> > specifically at the URLs that are requested. Go to a few different
sites
> > and you'll see the variety on why this is hard.
> >
> > MIME types are fairly standard.
> >
> > HTH,
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Thursday, November 11, 2004 4:57 PM
> > To: Andy
> > Cc: Group Study
> > Subject: Re: match protocol http [ url vs mime ]
> >
> > Andy,
> >
> > Thanks again for getting back to me.
> >
> > Just let me make sure I fully understand you.
> >
> > If I want to block web surfers from seeing any pictures in any format I
> > would do this:
> >
> > class-map IMAGES
> > match prot http url "*images*"
> > or
> > match prot http mime "*images*"
> >
> > Either one will work, but the 1st one is more efficient. Have I got
that
> > right?
> >
> > Now, is it possible using just 1 single match prot http command to
specify
> > both jpeg and bmp or do I need multiple match prot statements?
> >
> > For example, will this work?
> >
> > class-map JPEG-&-BMP
> > match prot http mime "*jpeg | *bmp"
> >
> > Thanks, Tim
> >
> >
> >
> > ----- Original Message -----
> > From: "Andy" <AndyMrozek@yahoo.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; <swm@emanon.com>; "'Group Study'"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 11, 2004 3:43 PM
> > Subject: RE: match protocol http [ url vs mime ]
> >
> >
> > > I have tried both url / mime type ... Both work ,as I have webserver
and
> > > traffic generator .. In my opionon though I would use mime type as it
> > seems
> > > to drop it alot faster , and doesnt use as many network resourced ,
with
> a
> > > sniffer in the path between client / server you see lots of attempts
> from
> > > client to keep pulling information when using url type , but only a
few
> > when
> > > using mime type , the only thing I thing about mime type we need to
know
> > the
> > > various image types for example I had done "*image*" and it was
blocking
> > > .bmp , .jpg, .gif so if you only are required to say block .bmp I
think
> > then
> > > you can use mime type unless there is a way to only block .bmp mime
type
> > but
> > > say let .jpg through...
> > >
> > > -Andy
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > ccie2be
> > > Sent: Thursday, November 11, 2004 12:27 PM
> > > To: swm@emanon.com; 'Group Study'
> > > Subject: Re: match protocol http [ url vs mime ]
> > >
> > >
> > > Hi Scott,
> > >
> > > Thanks for getting back to me.
> > >
> > > Before I posted the questions below I did a google and found the rfc
for
> > > mime. Here's the link for anyone interested:
> > >
> > > http://www.mhonarc.org/~ehood/MIME/2045/rfc2045.html
> > >
> > > I started reading it but after a while my eyes glazed over and I
didn't
> > find
> > > anything that actually helped me figure out whether I should use the
url
> > or
> > > mime parameter of the match prot http command to accomplish this task.
> > >
> > > Maybe my brain isn't in good working order at the moment, but after
> > reading
> > > your response, I'm still not sure whether I should use the url or mime
> > > parameter in the match protocol http command to classify jpeg's,
gif's,
> > > mpeg's, etc.
> > >
> > > So, let's say I want to block web surfers from downloading jpeg's and
> > avi's.
> > >
> > > Would I use
> > >
> > > match prot http url "*jpeg | *avi"
> > >
> > > or
> > >
> > > match prot http mime "*jpeg | *avi"
> > >
> > > Notice that I used the bar | to specify either jpeg OR avi. Is that
OK?
> > >
> > > Thanks, Tim
> > >
> > > ----- Original Message -----
> > > From: "Scott Morris" <swm@emanon.com>
> > > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'"
> > > <ccielab@groupstudy.com>
> > > Sent: Thursday, November 11, 2004 2:32 PM
> > > Subject: RE: match protocol http [ url vs mime ]
> > >
> > >
> > > > The protocol type represents a field within the HTTP structures...
It
> > > will
> > > > never look like "*.jpeg". That's a filename call, and within the
URL.
> > > >
> > > > MIME types are "image/jpeg", "image/gif", "video/avi" and things
like
> > > > that... There's an RFC about Multimedia Independent Mail Extensions
> > > (MIME),
> > > > but I don't recall what its number is...
> > > >
> > > > Otherwise, take a look at your File Associations table in Windows
and
> > > you'll
> > > > have an idea for different MIME types and their name.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service
> Provider)
> > > > #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications
> Specialist,
> > > IP
> > > > Telephony Support Specialist, IP Telephony Design Specialist, CISSP
> > > > CCSI #21903
> > > > swm@emanon.com
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > > ccie2be
> > > > Sent: Thursday, November 11, 2004 12:31 PM
> > > > To: Group Study
> > > > Subject: match protocol http [ url vs mime ]
> > > >
> > > > Hi guys,
> > > >
> > > > I need some help figuring out when to use the "mime" parameter when
> > > matching
> > > > traffic.
> > > >
> > > > For example, if I want to apply a policy which filters or restricts
> > > traffic
> > > > that contains jpeg files which config should I use?
> > > >
> > > > class-map jpeg
> > > > match protocol http url "*.jpeg"
> > > >
> > > > or
> > > >
> > > > match protocol http mime "*.jpeg"
> > > >
> > > >
> > > > Also, can regular expressions be used within the quote marks?
> > > >
> > > > For example, is this OK?
> > > >
> > > > match prot http mime "*.jpeg | *.jpg | *.mpeg"
> > > >
> > > >
> > > > Any insight or help is greatly appreciated.
> > > >
> > > > TIA, Tim
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >

• Next message: ccie2be: "Re: match protocol http mime (types)"
• Previous message: reo@chavallos.net: "Re: match protocol http [ url vs mime ]"
• Maybe in reply to: ccie2be: "match protocol http [ url vs mime ]"
• Next in thread: ccie2be: "Re: match protocol http [ url vs mime ]"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3