From: ccie2be (ccie2be@nyc.rr.com)
Date: Sat Jun 04 2005 - 12:28:59 GMT-3
Sumit,
Thanks for taking the time to write up that response. It was excellent !!!
I really appreciate it as I'm sure many, many others on GS do as well.
From your post, I see how the match http url and the match http host
commands work.
Based on your post, it appears to me that if you have both a host and a
directory portion you want to match, you HAVE TO use both match commands, ie
you HAVE TO use both the match url and the match host commands.
Would you agree with that?
If so, would you also agree that the problem of including both portions in
one match command is that the match command will ignore some portion of the
string to be matched?
IOW, if I use this command,
match prot http url "www.cisco.com/latest/whatsnew.html"
the host portion is ignored?
And, likewise, if I use this command,
match prot http host "www.cisco.com/latest/whatsnew.html"
the portion after "www.cisco.com" will be ignored?
Thanks again for your valuable input on this topic.
Tim
-----Original Message-----
From: Sumit [mailto:sumit.kumar@comcast.net]
Sent: Saturday, June 04, 2005 10:59 AM
To: Sean C; ccie2be@nyc.rr.com; ccielab@groupstudy.com
Subject: Re: using NBAR to match web traffic
Sean,
I'm sure you would have read this on CCO
"When specifying a URL for classification, include only the portion of the
URL following the www.hostname.domain in the match statement. For example,
for the URL www.cisco.com/latest/whatsnew.html, include only
/latest/whatsnew.html.
HOST specification is identical to URL specification. NBAR performs a
regular expression match on the HOST field contents inside an HTTP GET
packet and classifies all packets from that host. For example, for the URL
www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
For MIME type matching, the MIME type can contain any user-specified text
string. In MIME type matching, NBAR classifies the packet containing the
MIME type and all subsequent packets, which are sent to the source of the
HTTP GET request."
Now lets look at HTTP request header. Go to http://web-sniffer.net/ and type
http://www.web-apps.com/web-app/ in url field - here's the output :
GET /web-app/ HTTP/1.1
Host: www.web-apps.com
Connection: close
Accept-Encoding: gzip
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/pdf, application/x-shockwave-flash, */*[CRLF]
Accept-Language: en-us[CRLF]
In the output the GET request field has only "/web-app/" which will be
searched by "match http url" and host field has the FQDN will be searched
by "match host" command. "Match mime" will also look in the get field,
here's the output if you have logo.gif in the url it appears in the GET
field
GET /logo.gif HTTP/1.1
GET /logo.gif HTTP/1.1
Host: www.fake.com
Connection: close
Accept-Encoding: gzip
I hope it helps.
Sumit
From: "Sean C" <Upp_and_Upp@hotmail.com>
To: <sumit.kumar@comcast.net>; <ccie2be@nyc.rr.com>;
<ccielab@groupstudy.com>
Sent: Saturday, June 04, 2005 10:08 AM
Subject: Re: using NBAR to match web traffic
> Hi Sumit,
>
> I appreciate the answer because I'm an admitted newbie on this - but what
is
> the difference then? Or, more specifically, what is the value of using
the
> 'match http host' command? I think I understand that 'match http host'
will
> just search the http header, and 'match http url' will look at the
> requests - but I'm not sure why to use 'host' at all then.
>
> I tried a couple of googles but still don't see the value. Appreciate any
> help offered,
> Sean
> ----- Original Message -----
> From: <sumit.kumar@comcast.net>
> To: "Sam Joseph" <samjoseph747@hotmail.com>; <ccie2be@nyc.rr.com>;
> <stephentfisher@yahoo.com>; <ccielab@groupstudy.com>
> Sent: Friday, June 03, 2005 8:23 PM
> Subject: RE: using NBAR to match web traffic
>
>
> > Remember "match http url' looks at the GET/PUT/TRACE etc. requests
whereas
> > "match http host" searches the host field in the http header.
> >
> > Google "http header" , lot of sites allow you to see the http header
for
> > any url. That will give a clear understanding.
> >
> > Sumit
> > -------------- Original message --------------
> >
> >> How about this Config:
> >>
> >> class-map match-all WEB-APP
> >> match protocol http host *www.web-based-app.com*
> >> match protocol http url *webapp/*
> >>
> >> Thanks.
> >>
> >> >From: "ccie2be"
> >> >Reply-To: "ccie2be"
> >> >To: "'Stephen Fisher'" , "Group Study"
> >> >
> >> >Subject: RE: using NBAR to match web traffic
> >> >Date: Fri, 3 Jun 2005 18:50:32 -0400
> >> >
> >> >Hey Steve,
> >> >
> >> >Actually, that missing * was a typo. I meant to include it.
> >> >
> >> >The reason I posted this question was because the IE Solution was
> >> >different.
> >> >
> >> >This is the IE solution:
> >> >
> >> >class-map match-all WEB-APP
> >> > match prot http host "www.web-based-app.com"
> >> > match prot http url "webapp/*"
> >> >
> >> >
> >> >As you can see, IE breaks it down into 2 match statements. And, I
wanted
> >> >to
> >> >know if the way I thought of would work being that it's different from
> >> >the
> >> >IE Solution.
> >> >
> >> >I know that often there is more than 1 correct way to accomplish
> >> >something
> >> >but without knowing how to verify my config, I can't be sure if this
is
> >> >one
> >> >of them.
> >> >
> >> >Thanks for getting back to me.
> >> >
> >> >-----Original Message-----
> >> >From: Stephen Fisher [mailto:stephentfisher@yahoo.com]
> >> >Sent: Friday, June 03, 2005 6:28 PM
> >> >To: ccielab@groupstudy.com
> >> >Cc: ccie2be
> >> >Subject: Re: using NBAR to match web traffic
> >> >
> >> >On Fri, Jun 03, 2005 at 01:52:45PM -0400, ccie2be wrote:
> >> >
> >> > > I want to permit users to access only a web based application which
> >> > > has a root directory of
> >> > >
> >> > > http://www.web-based-app.com/webapp/
> >> > >
> >> > > Will this work?
> >> > >
> >> > > class-map WEB-APP
> >> > > match protocol http url "http://www.web-based-app.com/webapp/"
> >> >
> >> >My notes from practicing this topic say that you need to put wildcards
> >> >or else it will match only what you specify for the URL field, so
> >> >try this:
> >> >
> >> > match protocol http url "http://www.web-based-app.com/webapp/*"
> >> >
> >> >Although I could be wrong?
> >> >
> >> > > In the lab, if giving a similar fake url, is there any way to
verify
> >> > > my config is correct?
> >> >
> >> >I can't think of any other than knowing how it works before hand :(
> >> >
> >> >
> >> >Steve
> >> >
> >>
>_______________________________________________________________________
> >> >Subscription information may be found at:
> >> >http://www.groupstudy.com/list/CCIELab.html
> >>
> >> _________________________________________________________________
> >> Express yourself instantly with MSN Messenger! Download today - it's
> >> FREE!
> >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3