From: ccie2be (ccie2be@nyc.rr.com)
Date: Thu Nov 11 2004 - 22:26:34 GMT-3
Hey Scott,
Just when I thought I got this topic covered...
I found the list of mime types at this url,
ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types
And, while scrolling down the list, I noticed there are not only mime types,
but there are also mime sub-types. Now, sure enough there are no periods in
mime types. However, there are periods in mime sub-types.
So, getting back to the command, match prot http mime <mime-type>, it seems
that mime type can be either mime type or mime sub-type. For example,
"jpeg" is a mime sub-type of mime type image and I've seen examples using
jpeg so it seems it's OK to use sub-types.
That said, the options available for using match prot http mime include
things like "images" which will pick all mime sub-types of mime type image
or specifying a particular mime sub-type such as any of the ones below
(except if they include a period?). Am I getting closer still?
Thanks, Tim
image jpeg [RFC2045,RFC2046]
gif [RFC2045,RFC2046]
ief Image Exchange Format [RFC1314]
g3fax [RFC1494]
tiff Tag Image File Format [RFC2302]
cgm Computer Graphics Metafile [Francis]
naplps [Ferber]
vnd.dwg [Moline]
vnd.svf [Moline]
vnd.dxf [Moline]
png [Randers-Pehrson]
vnd.fpx [Spencer]
vnd.net-fpx [Spencer]
vnd.xiff [SMartin]
prs.btif [Simon]
vnd.fastbidsheet [Becker]
vnd.wap.wbmp [Stark]
prs.pti [Laun]
vnd.cns.inf2 [McLaughlin]
vnd.mix [Reddy]
vnd.fujixerox.edmics-rlc [Onda]
vnd.fujixerox.edmics-mmr [Onda]
vnd.fst [Fuldseth]
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
Cc: "'Group Study'" <ccielab@groupstudy.com>
Sent: Thursday, November 11, 2004 6:41 PM
Subject: RE: match protocol http [ url vs mime ]
> Closer. :)
>
> The period "." will never be part of the MIME type!!!
>
> Like I said, play with a sniffer.... It's a lot more educational and much
> less boring than the rfc's!!! ;)
>
> Scott
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Thursday, November 11, 2004 6:24 PM
> To: swm@emanon.com; 'Andy'
> Cc: 'Group Study'
> Subject: Re: match protocol http [ url vs mime ]
>
> OK, I think I got it.
>
> Tell me if this is correct.
>
> If I match using the url keyword in the command, match prot http url
> <string>, then I'm only matching on web traffic that contains <string> in
> the url.
>
> So, let's assume that the image you see when you go to the cisco home page
> is a bmp image.
>
> If I want to classify on the basis of bmp images and config the following
>
> match prot http url "*.bmp"
>
> that will NOT work because there's no .bmp within the url string itself.
> The bmp is "embedded" in the web page.
>
> However, if I do this,
>
> match prot http mime "*.bmp"
>
> that will work because when I use the mime keyword, it looks for the
> embedded content in the web pages.
>
> I hope I'm right because otherwise I really dont understand when to use
the
> url keyword versus the mime keyword.
>
> I apologize for my ignorance about this but I've never created a single
web
> page in my life and I know nothing more about http except that it's what
> used to code web pages.
>
> Thanks, again.
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
> Cc: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Thursday, November 11, 2004 5:50 PM
> Subject: RE: match protocol http [ url vs mime ]
>
>
> > No, only the mime will work since the word "images" may or may not be in
> > your URL (only if someone stores all graphics in a /images directory
> > (instead of /image or something else)...
> >
> > Take a sniffer sometime (ethereal is good and free!) and look at all
the
> > web requests that your station makes when you browse the web. Then look
> > specifically at the URLs that are requested. Go to a few different
sites
> > and you'll see the variety on why this is hard.
> >
> > MIME types are fairly standard.
> >
> > HTH,
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Thursday, November 11, 2004 4:57 PM
> > To: Andy
> > Cc: Group Study
> > Subject: Re: match protocol http [ url vs mime ]
> >
> > Andy,
> >
> > Thanks again for getting back to me.
> >
> > Just let me make sure I fully understand you.
> >
> > If I want to block web surfers from seeing any pictures in any format I
> > would do this:
> >
> > class-map IMAGES
> > match prot http url "*images*"
> > or
> > match prot http mime "*images*"
> >
> > Either one will work, but the 1st one is more efficient. Have I got
that
> > right?
> >
> > Now, is it possible using just 1 single match prot http command to
specify
> > both jpeg and bmp or do I need multiple match prot statements?
> >
> > For example, will this work?
> >
> > class-map JPEG-&-BMP
> > match prot http mime "*jpeg | *bmp"
> >
> > Thanks, Tim
> >
> >
> >
> > ----- Original Message -----
> > From: "Andy" <AndyMrozek@yahoo.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; <swm@emanon.com>; "'Group Study'"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 11, 2004 3:43 PM
> > Subject: RE: match protocol http [ url vs mime ]
> >
> >
> > > I have tried both url / mime type ... Both work ,as I have webserver
and
> > > traffic generator .. In my opionon though I would use mime type as it
> > seems
> > > to drop it alot faster , and doesnt use as many network resourced ,
with
> a
> > > sniffer in the path between client / server you see lots of attempts
> from
> > > client to keep pulling information when using url type , but only a
few
> > when
> > > using mime type , the only thing I thing about mime type we need to
know
> > the
> > > various image types for example I had done "*image*" and it was
blocking
> > > .bmp , .jpg, .gif so if you only are required to say block .bmp I
think
> > then
> > > you can use mime type unless there is a way to only block .bmp mime
type
> > but
> > > say let .jpg through...
> > >
> > > -Andy
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > ccie2be
> > > Sent: Thursday, November 11, 2004 12:27 PM
> > > To: swm@emanon.com; 'Group Study'
> > > Subject: Re: match protocol http [ url vs mime ]
> > >
> > >
> > > Hi Scott,
> > >
> > > Thanks for getting back to me.
> > >
> > > Before I posted the questions below I did a google and found the rfc
for
> > > mime. Here's the link for anyone interested:
> > >
> > > http://www.mhonarc.org/~ehood/MIME/2045/rfc2045.html
> > >
> > > I started reading it but after a while my eyes glazed over and I
didn't
> > find
> > > anything that actually helped me figure out whether I should use the
url
> > or
> > > mime parameter of the match prot http command to accomplish this task.
> > >
> > > Maybe my brain isn't in good working order at the moment, but after
> > reading
> > > your response, I'm still not sure whether I should use the url or mime
> > > parameter in the match protocol http command to classify jpeg's,
gif's,
> > > mpeg's, etc.
> > >
> > > So, let's say I want to block web surfers from downloading jpeg's and
> > avi's.
> > >
> > > Would I use
> > >
> > > match prot http url "*jpeg | *avi"
> > >
> > > or
> > >
> > > match prot http mime "*jpeg | *avi"
> > >
> > > Notice that I used the bar | to specify either jpeg OR avi. Is that
OK?
> > >
> > > Thanks, Tim
> > >
> > > ----- Original Message -----
> > > From: "Scott Morris" <swm@emanon.com>
> > > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'"
> > > <ccielab@groupstudy.com>
> > > Sent: Thursday, November 11, 2004 2:32 PM
> > > Subject: RE: match protocol http [ url vs mime ]
> > >
> > >
> > > > The protocol type represents a field within the HTTP structures...
It
> > > will
> > > > never look like "*.jpeg". That's a filename call, and within the
URL.
> > > >
> > > > MIME types are "image/jpeg", "image/gif", "video/avi" and things
like
> > > > that... There's an RFC about Multimedia Independent Mail Extensions
> > > (MIME),
> > > > but I don't recall what its number is...
> > > >
> > > > Otherwise, take a look at your File Associations table in Windows
and
> > > you'll
> > > > have an idea for different MIME types and their name.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service
> Provider)
> > > > #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications
> Specialist,
> > > IP
> > > > Telephony Support Specialist, IP Telephony Design Specialist, CISSP
> > > > CCSI #21903
> > > > swm@emanon.com
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > > ccie2be
> > > > Sent: Thursday, November 11, 2004 12:31 PM
> > > > To: Group Study
> > > > Subject: match protocol http [ url vs mime ]
> > > >
> > > > Hi guys,
> > > >
> > > > I need some help figuring out when to use the "mime" parameter when
> > > matching
> > > > traffic.
> > > >
> > > > For example, if I want to apply a policy which filters or restricts
> > > traffic
> > > > that contains jpeg files which config should I use?
> > > >
> > > > class-map jpeg
> > > > match protocol http url "*.jpeg"
> > > >
> > > > or
> > > >
> > > > match protocol http mime "*.jpeg"
> > > >
> > > >
> > > > Also, can regular expressions be used within the quote marks?
> > > >
> > > > For example, is this OK?
> > > >
> > > > match prot http mime "*.jpeg | *.jpg | *.mpeg"
> > > >
> > > >
> > > > Any insight or help is greatly appreciated.
> > > >
> > > > TIA, Tim
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3