Re: using NBAR to match web traffic

From: Sean C (Upp_and_Upp@hotmail.com)
Date: Sat Jun 04 2005 - 13:05:06 GMT-3

Hi Sumit,

Wow!! Thank you so much for the explanation. After reading a bunch of
Cisco docs and what I can find in various books, I think your explanation
makes me finally able to understand this!

Just for confirmation, if I had to match:
> http://www.web-apps.com/web-app/
match protocol http host www.web-based-app.com*
match protocol url */web-app/*

If I had to match:
> http://www.web-apps.com/logo.gif
match protocol http host www.web-based-app.com*
match protocol mime *logo.gif$

And if I had to match:
> http://www.web-apps.com/web-app/logo.gif
match protocol http host www.web-based-app.com*
match protocol url */web-app/*
match protocol mime *logo.gif$

Again, I can't state how much I appreciate your time and explanation!
Sean

----- Original Message -----
From: "Sumit" <sumit.kumar@comcast.net>
To: "Sean C" <Upp_and_Upp@hotmail.com>; <ccie2be@nyc.rr.com>;
<ccielab@groupstudy.com>
Sent: Saturday, June 04, 2005 10:59 AM
Subject: Re: using NBAR to match web traffic

> Sean,
>
> I'm sure you would have read this on CCO
>
> "When specifying a URL for classification, include only the portion of the
> URL following the www.hostname.domain in the match statement. For example,
> for the URL www.cisco.com/latest/whatsnew.html, include only
> /latest/whatsnew.html.
> HOST specification is identical to URL specification. NBAR performs a
> regular expression match on the HOST field contents inside an HTTP GET
> packet and classifies all packets from that host. For example, for the URL
> www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
>
> For MIME type matching, the MIME type can contain any user-specified text
> string. In MIME type matching, NBAR classifies the packet containing the
> MIME type and all subsequent packets, which are sent to the source of the
> HTTP GET request."
>
> Now lets look at HTTP request header. Go to http://web-sniffer.net/ and
> type
>
> http://www.web-apps.com/web-app/ in url field - here's the output :
>
>
> GET /web-app/ HTTP/1.1
> Host: www.web-apps.com
> Connection: close
> Accept-Encoding: gzip
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel,
> application/msword,
> application/pdf, application/x-shockwave-flash, */*[CRLF]
> Accept-Language: en-us[CRLF]
>
> In the output the GET request field has only "/web-app/" which will be
> searched by "match http url" and host field has the FQDN will be searched
> by "match host" command. "Match mime" will also look in the get field,
> here's the output if you have logo.gif in the url it appears in the GET
> field
>
> GET /logo.gif HTTP/1.1
> GET /logo.gif HTTP/1.1
> Host: www.fake.com
> Connection: close
> Accept-Encoding: gzip
>
> I hope it helps.
>
> Sumit
>
>
> From: "Sean C" <Upp_and_Upp@hotmail.com>
> To: <sumit.kumar@comcast.net>; <ccie2be@nyc.rr.com>;
> <ccielab@groupstudy.com>
> Sent: Saturday, June 04, 2005 10:08 AM
> Subject: Re: using NBAR to match web traffic
>
>
>> Hi Sumit,
>>
>> I appreciate the answer because I'm an admitted newbie on this - but what
> is
>> the difference then? Or, more specifically, what is the value of using
> the
>> 'match http host' command? I think I understand that 'match http host'
> will
>> just search the http header, and 'match http url' will look at the
>> requests - but I'm not sure why to use 'host' at all then.
>>
>> I tried a couple of googles but still don't see the value. Appreciate
>> any
>> help offered,
>> Sean
>> ----- Original Message -----
>> From: <sumit.kumar@comcast.net>
>> To: "Sam Joseph" <samjoseph747@hotmail.com>; <ccie2be@nyc.rr.com>;
>> <stephentfisher@yahoo.com>; <ccielab@groupstudy.com>
>> Sent: Friday, June 03, 2005 8:23 PM
>> Subject: RE: using NBAR to match web traffic
>>
>>
>> > Remember "match http url' looks at the GET/PUT/TRACE etc. requests
> whereas
>> > "match http host" searches the host field in the http header.
>> >
>> > Google "http header" , lot of sites allow you to see the http header
> for
>> > any url. That will give a clear understanding.
>> >
>> > Sumit
>> > -------------- Original message --------------
>> >
>> >> How about this Config:
>> >>
>> >> class-map match-all WEB-APP
>> >> match protocol http host *www.web-based-app.com*
>> >> match protocol http url *webapp/*
>> >>
>> >> Thanks.
>> >>
>> >> >From: "ccie2be"
>> >> >Reply-To: "ccie2be"
>> >> >To: "'Stephen Fisher'" , "Group Study"
>> >> >
>> >> >Subject: RE: using NBAR to match web traffic
>> >> >Date: Fri, 3 Jun 2005 18:50:32 -0400
>> >> >
>> >> >Hey Steve,
>> >> >
>> >> >Actually, that missing * was a typo. I meant to include it.
>> >> >
>> >> >The reason I posted this question was because the IE Solution was
>> >> >different.
>> >> >
>> >> >This is the IE solution:
>> >> >
>> >> >class-map match-all WEB-APP
>> >> > match prot http host "www.web-based-app.com"
>> >> > match prot http url "webapp/*"
>> >> >
>> >> >
>> >> >As you can see, IE breaks it down into 2 match statements. And, I
> wanted
>> >> >to
>> >> >know if the way I thought of would work being that it's different
>> >> >from
>> >> >the
>> >> >IE Solution.
>> >> >
>> >> >I know that often there is more than 1 correct way to accomplish
>> >> >something
>> >> >but without knowing how to verify my config, I can't be sure if this
> is
>> >> >one
>> >> >of them.
>> >> >
>> >> >Thanks for getting back to me.
>> >> >
>> >> >-----Original Message-----
>> >> >From: Stephen Fisher [mailto:stephentfisher@yahoo.com]
>> >> >Sent: Friday, June 03, 2005 6:28 PM
>> >> >To: ccielab@groupstudy.com
>> >> >Cc: ccie2be
>> >> >Subject: Re: using NBAR to match web traffic
>> >> >
>> >> >On Fri, Jun 03, 2005 at 01:52:45PM -0400, ccie2be wrote:
>> >> >
>> >> > > I want to permit users to access only a web based application
>> >> > > which
>> >> > > has a root directory of
>> >> > >
>> >> > > http://www.web-based-app.com/webapp/
>> >> > >
>> >> > > Will this work?
>> >> > >
>> >> > > class-map WEB-APP
>> >> > > match protocol http url "http://www.web-based-app.com/webapp/"
>> >> >
>> >> >My notes from practicing this topic say that you need to put
>> >> >wildcards
>> >> >or else it will match only what you specify for the URL field, so
>> >> >try this:
>> >> >
>> >> > match protocol http url "http://www.web-based-app.com/webapp/*"
>> >> >
>> >> >Although I could be wrong?
>> >> >
>> >> > > In the lab, if giving a similar fake url, is there any way to
> verify
>> >> > > my config is correct?
>> >> >
>> >> >I can't think of any other than knowing how it works before hand :(
>> >> >
>> >> >
>> >> >Steve
>> >> >
>> >>
>>_______________________________________________________________________
>> >> >Subscription information may be found at:
>> >> >http://www.groupstudy.com/list/CCIELab.html
>> >>
>> >> _________________________________________________________________
>> >> Express yourself instantly with MSN Messenger! Download today - it's
>> >> FREE!
>> >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3