nbar

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Jan 19 2005 - 20:05:39 GMT-3

• Next message: marvin greenlee: "RE: nbar [bcc][faked-from]"
• Previous message: Elson Burrao: "BGP Tag"
• Next in thread: Oliver Grenham: "Re: nbar"
• Maybe reply: Oliver Grenham: "Re: nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi guys,

This problem, from IE lab 15, task 9.1, is to filter a virus contained in sql
traffic that is 404 bytes in length.

The official solution is this:

ip nbar port-map custom-01 udp 1434 <-- different
!
class-map match-all SQL_SLAMMER
match protocol custom-01 <-- different
match packet length min 404 max 404
!
policy-map STOP_SQL_SLAMMER
class SQL_SLAMMER
drop
!
interface Ethernet0/0
service-policy input STOP_SQL_SLAMMER

When I did the config, I did it slightly differently. I think my config would
work just as well but I can't test this -

I don't have any Slammer worm packets hanging around.

Instead of using the commands above marked as different, I used the
following:

ip nbar port-map sqlserver udp 1434

match protocol sqlserver

I also wonder about one other thing. By default, sqlserver packets use udp
and port 1434 as seen by doing

show ip nbar port-map. Therefore the only way it seems that the infected
packets are distinquished from the

real sqlserver traffic is by packet length. If that's true, couldn't the
solution actually looked like this?

class-map match-all SQL_SLAMMER
match protocol sqlserver
match packet length min 404 max 404

where no special ip nbar port-map is needed?

Thanks, Tim

• Next message: marvin greenlee: "RE: nbar [bcc][faked-from]"
• Previous message: Elson Burrao: "BGP Tag"
• Next in thread: Oliver Grenham: "Re: nbar"
• Maybe reply: Oliver Grenham: "Re: nbar"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:24 GMT-3