From: Scott Morris (swm@emanon.com)
Date: Thu Nov 11 2004 - 22:37:18 GMT-3
Closer yet! :)
Ok. Yes. SOME have periods. Of all the "normal" things that we typically
would see (like the jpeg format we are discussing) there is no period.
You just need to remember you are keying in a text string. So that text
string either will or will not be in an HTML header where "protocol http" is
looking. That's why the accuracy is important!
But yes, "images" is the mime type and the sub-types are separated with a
"/" character (hence "images/jpeg").
HTH,
Scott
-----Original Message-----
From: ccie2be [mailto:ccie2be@nyc.rr.com]
Sent: Thursday, November 11, 2004 8:27 PM
To: swm@emanon.com; 'Andy'
Cc: 'Group Study'
Subject: Re: match protocol http mime (types)
Hey Scott,
Just when I thought I got this topic covered...
I found the list of mime types at this url,
ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types
And, while scrolling down the list, I noticed there are not only mime types,
but there are also mime sub-types. Now, sure enough there are no periods in
mime types. However, there are periods in mime sub-types.
So, getting back to the command, match prot http mime <mime-type>, it seems
that mime type can be either mime type or mime sub-type. For example,
"jpeg" is a mime sub-type of mime type image and I've seen examples using
jpeg so it seems it's OK to use sub-types.
That said, the options available for using match prot http mime include
things like "images" which will pick all mime sub-types of mime type image
or specifying a particular mime sub-type such as any of the ones below
(except if they include a period?). Am I getting closer still?
Thanks, Tim
image jpeg [RFC2045,RFC2046]
gif [RFC2045,RFC2046]
ief Image Exchange Format [RFC1314]
g3fax [RFC1494]
tiff Tag Image File Format [RFC2302]
cgm Computer Graphics Metafile [Francis]
naplps [Ferber]
vnd.dwg [Moline]
vnd.svf [Moline]
vnd.dxf [Moline]
png [Randers-Pehrson]
vnd.fpx [Spencer]
vnd.net-fpx [Spencer]
vnd.xiff [SMartin]
prs.btif [Simon]
vnd.fastbidsheet [Becker]
vnd.wap.wbmp [Stark]
prs.pti [Laun]
vnd.cns.inf2 [McLaughlin]
vnd.mix [Reddy]
vnd.fujixerox.edmics-rlc [Onda]
vnd.fujixerox.edmics-mmr [Onda]
vnd.fst [Fuldseth]
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
Cc: "'Group Study'" <ccielab@groupstudy.com>
Sent: Thursday, November 11, 2004 6:41 PM
Subject: RE: match protocol http [ url vs mime ]
> Closer. :)
>
> The period "." will never be part of the MIME type!!!
>
> Like I said, play with a sniffer.... It's a lot more educational and much
> less boring than the rfc's!!! ;)
>
> Scott
>
>
> -----Original Message-----
> From: ccie2be [mailto:ccie2be@nyc.rr.com]
> Sent: Thursday, November 11, 2004 6:24 PM
> To: swm@emanon.com; 'Andy'
> Cc: 'Group Study'
> Subject: Re: match protocol http [ url vs mime ]
>
> OK, I think I got it.
>
> Tell me if this is correct.
>
> If I match using the url keyword in the command, match prot http url
> <string>, then I'm only matching on web traffic that contains <string> in
> the url.
>
> So, let's assume that the image you see when you go to the cisco home page
> is a bmp image.
>
> If I want to classify on the basis of bmp images and config the following
>
> match prot http url "*.bmp"
>
> that will NOT work because there's no .bmp within the url string itself.
> The bmp is "embedded" in the web page.
>
> However, if I do this,
>
> match prot http mime "*.bmp"
>
> that will work because when I use the mime keyword, it looks for the
> embedded content in the web pages.
>
> I hope I'm right because otherwise I really dont understand when to use
the
> url keyword versus the mime keyword.
>
> I apologize for my ignorance about this but I've never created a single
web
> page in my life and I know nothing more about http except that it's what
> used to code web pages.
>
> Thanks, again.
>
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Andy'" <AndyMrozek@yahoo.com>
> Cc: "'Group Study'" <ccielab@groupstudy.com>
> Sent: Thursday, November 11, 2004 5:50 PM
> Subject: RE: match protocol http [ url vs mime ]
>
>
> > No, only the mime will work since the word "images" may or may not be in
> > your URL (only if someone stores all graphics in a /images directory
> > (instead of /image or something else)...
> >
> > Take a sniffer sometime (ethereal is good and free!) and look at all
the
> > web requests that your station makes when you browse the web. Then look
> > specifically at the URLs that are requested. Go to a few different
sites
> > and you'll see the variety on why this is hard.
> >
> > MIME types are fairly standard.
> >
> > HTH,
> >
> > Scott
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > ccie2be
> > Sent: Thursday, November 11, 2004 4:57 PM
> > To: Andy
> > Cc: Group Study
> > Subject: Re: match protocol http [ url vs mime ]
> >
> > Andy,
> >
> > Thanks again for getting back to me.
> >
> > Just let me make sure I fully understand you.
> >
> > If I want to block web surfers from seeing any pictures in any format I
> > would do this:
> >
> > class-map IMAGES
> > match prot http url "*images*"
> > or
> > match prot http mime "*images*"
> >
> > Either one will work, but the 1st one is more efficient. Have I got
that
> > right?
> >
> > Now, is it possible using just 1 single match prot http command to
specify
> > both jpeg and bmp or do I need multiple match prot statements?
> >
> > For example, will this work?
> >
> > class-map JPEG-&-BMP
> > match prot http mime "*jpeg | *bmp"
> >
> > Thanks, Tim
> >
> >
> >
> > ----- Original Message -----
> > From: "Andy" <AndyMrozek@yahoo.com>
> > To: "'ccie2be'" <ccie2be@nyc.rr.com>; <swm@emanon.com>; "'Group Study'"
> > <ccielab@groupstudy.com>
> > Sent: Thursday, November 11, 2004 3:43 PM
> > Subject: RE: match protocol http [ url vs mime ]
> >
> >
> > > I have tried both url / mime type ... Both work ,as I have webserver
and
> > > traffic generator .. In my opionon though I would use mime type as it
> > seems
> > > to drop it alot faster , and doesnt use as many network resourced ,
with
> a
> > > sniffer in the path between client / server you see lots of attempts
> from
> > > client to keep pulling information when using url type , but only a
few
> > when
> > > using mime type , the only thing I thing about mime type we need to
know
> > the
> > > various image types for example I had done "*image*" and it was
blocking
> > > .bmp , .jpg, .gif so if you only are required to say block .bmp I
think
> > then
> > > you can use mime type unless there is a way to only block .bmp mime
type
> > but
> > > say let .jpg through...
> > >
> > > -Andy
> > >
> > > -----Original Message-----
> > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> > > ccie2be
> > > Sent: Thursday, November 11, 2004 12:27 PM
> > > To: swm@emanon.com; 'Group Study'
> > > Subject: Re: match protocol http [ url vs mime ]
> > >
> > >
> > > Hi Scott,
> > >
> > > Thanks for getting back to me.
> > >
> > > Before I posted the questions below I did a google and found the rfc
for
> > > mime. Here's the link for anyone interested:
> > >
> > > http://www.mhonarc.org/~ehood/MIME/2045/rfc2045.html
> > >
> > > I started reading it but after a while my eyes glazed over and I
didn't
> > find
> > > anything that actually helped me figure out whether I should use the
url
> > or
> > > mime parameter of the match prot http command to accomplish this task.
> > >
> > > Maybe my brain isn't in good working order at the moment, but after
> > reading
> > > your response, I'm still not sure whether I should use the url or mime
> > > parameter in the match protocol http command to classify jpeg's,
gif's,
> > > mpeg's, etc.
> > >
> > > So, let's say I want to block web surfers from downloading jpeg's and
> > avi's.
> > >
> > > Would I use
> > >
> > > match prot http url "*jpeg | *avi"
> > >
> > > or
> > >
> > > match prot http mime "*jpeg | *avi"
> > >
> > > Notice that I used the bar | to specify either jpeg OR avi. Is that
OK?
> > >
> > > Thanks, Tim
> > >
> > > ----- Original Message -----
> > > From: "Scott Morris" <swm@emanon.com>
> > > To: "'ccie2be'" <ccie2be@nyc.rr.com>; "'Group Study'"
> > > <ccielab@groupstudy.com>
> > > Sent: Thursday, November 11, 2004 2:32 PM
> > > Subject: RE: match protocol http [ url vs mime ]
> > >
> > >
> > > > The protocol type represents a field within the HTTP structures...
It
> > > will
> > > > never look like "*.jpeg". That's a filename call, and within the
URL.
> > > >
> > > > MIME types are "image/jpeg", "image/gif", "video/avi" and things
like
> > > > that... There's an RFC about Multimedia Independent Mail Extensions
> > > (MIME),
> > > > but I don't recall what its number is...
> > > >
> > > > Otherwise, take a look at your File Associations table in Windows
and
> > > you'll
> > > > have an idea for different MIME types and their name.
> > > >
> > > > HTH,
> > > >
> > > >
> > > > Scott Morris, MCSE, CCDP, CCIE4 (R&S/ISP-Dial/Security/Service
> Provider)
> > > > #4713, JNCIP, CCNA-WAN Switching, CCSP, Cable Communications
> Specialist,
> > > IP
> > > > Telephony Support Specialist, IP Telephony Design Specialist, CISSP
> > > > CCSI #21903
> > > > swm@emanon.com
> > > >
> > > >
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
> Of
> > > > ccie2be
> > > > Sent: Thursday, November 11, 2004 12:31 PM
> > > > To: Group Study
> > > > Subject: match protocol http [ url vs mime ]
> > > >
> > > > Hi guys,
> > > >
> > > > I need some help figuring out when to use the "mime" parameter when
> > > matching
> > > > traffic.
> > > >
> > > > For example, if I want to apply a policy which filters or restricts
> > > traffic
> > > > that contains jpeg files which config should I use?
> > > >
> > > > class-map jpeg
> > > > match protocol http url "*.jpeg"
> > > >
> > > > or
> > > >
> > > > match protocol http mime "*.jpeg"
> > > >
> > > >
> > > > Also, can regular expressions be used within the quote marks?
> > > >
> > > > For example, is this OK?
> > > >
> > > > match prot http mime "*.jpeg | *.jpg | *.mpeg"
> > > >
> > > >
> > > > Any insight or help is greatly appreciated.
> > > >
> > > > TIA, Tim
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
This archive was generated by hypermail 2.1.4 : Thu Dec 02 2004 - 06:57:42 GMT-3