From: Oliver Grenham (ogrenham@optusnet.com.au)
Date: Thu Jan 20 2005 - 04:23:41 GMT-3
Tim,
would it not have been possible to call an extended ACL as part of this
solution to match UDP port 1434? Or did this lab instruct you to use NBAR?
Ollie.
----- Original Message -----
From: "ccie2be" <ccie2be@nyc.rr.com>
To: "Group Study" <ccielab@groupstudy.com>
Sent: Thursday, January 20, 2005 6:05 AM
Subject: nbar
> Hi guys,
>
> This problem, from IE lab 15, task 9.1, is to filter a virus contained in
sql
> traffic that is 404 bytes in length.
>
> The official solution is this:
>
> ip nbar port-map custom-01 udp 1434 <-- different
> !
> class-map match-all SQL_SLAMMER
> match protocol custom-01 <-- different
> match packet length min 404 max 404
> !
> policy-map STOP_SQL_SLAMMER
> class SQL_SLAMMER
> drop
> !
> interface Ethernet0/0
> service-policy input STOP_SQL_SLAMMER
>
>
> When I did the config, I did it slightly differently. I think my config
would
> work just as well but I can't test this -
>
> I don't have any Slammer worm packets hanging around.
>
> Instead of using the commands above marked as different, I used the
> following:
>
> ip nbar port-map sqlserver udp 1434
>
> match protocol sqlserver
>
> I also wonder about one other thing. By default, sqlserver packets use
udp
> and port 1434 as seen by doing
>
> show ip nbar port-map. Therefore the only way it seems that the infected
> packets are distinquished from the
>
> real sqlserver traffic is by packet length. If that's true, couldn't the
> solution actually looked like this?
>
> class-map match-all SQL_SLAMMER
> match protocol sqlserver
> match packet length min 404 max 404
>
> where no special ip nbar port-map is needed?
>
> Thanks, Tim
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Feb 02 2005 - 22:10:24 GMT-3