From: sumit.kumar@comcast.net
Date: Sat Jun 04 2005 - 13:56:09 GMT-3
Tim, Sean,
Thanks for your appreciation, it helps to keep the morale up in this fight with green books and green boxes.
Tim,
looking at the header, the request (GET/PUT) field doesnot carry the hostname(www.cisco.com) similary the host field doesnot carry foldername (/whatsnew/).
If the requirement is to make a full match I will go with two statements,
match url "/whatsnew/*"
match host "www.cisco.com"
If you add anything more it will be a mismatch.
The bottomline is the "match" should be as specific as possible and you can cover the arbitrary values (like the files in the directory)with *..
Sean,
Since it is regular expression based match (like as-path list) the * wouldnot hurt but again we should try to to make the match as precise as possible. Think in terms of as path access-list keeping in mind the differences - like you will never have more than one hostname in the host field etc.
Also the inverted commas are complimentary you'll see them in config even if you donot use them.
thanks
Sumit
-------------- Original message --------------
> Sumit,
>
> Thanks for taking the time to write up that response. It was excellent !!!
>
> I really appreciate it as I'm sure many, many others on GS do as well.
>
> From your post, I see how the match http url and the match http host
> commands work.
>
> Based on your post, it appears to me that if you have both a host and a
> directory portion you want to match, you HAVE TO use both match commands, ie
> you HAVE TO use both the match url and the match host commands.
>
> Would you agree with that?
>
> If so, would you also agree that the problem of including both portions in
> one match command is that the match command will ignore some portion of the
> string to be matched?
>
> IOW, if I use this command,
>
> match prot http url "www.cisco.com/latest/whatsnew.html"
>
> the host portion is ignored?
>
> And, likewise, if I use this command,
>
> match prot http host "www.cisco.com/latest/whatsnew.html"
>
> the portion after "www.cisco.com" will be ignored?
>
> Thanks again for your valuable input on this topic.
>
> Tim
>
> -----Original Message-----
> From: Sumit [mailto:sumit.kumar@comcast.net]
> Sent: Saturday, June 04, 2005 10:59 AM
> To: Sean C; ccie2be@nyc.rr.com; ccielab@groupstudy.com
> Subject: Re: using NBAR to match web traffic
>
> Sean,
>
> I'm sure you would have read this on CCO
>
> "When specifying a URL for classification, include only the portion of the
> URL following the www.hostname.domain in the match statement. For example,
> for the URL www.cisco.com/latest/whatsnew.html, include only
> /latest/whatsnew.html.
> HOST specification is identical to URL specification. NBAR performs a
> regular expression match on the HOST field contents inside an HTTP GET
> packet and classifies all packets from that host. For example, for the URL
> www.cisco.com/latest/whatsnew.html, include only www.cisco.com.
>
> For MIME type matching, the MIME type can contain any user-specified text
> string. In MIME type matching, NBAR classifies the packet containing the
> MIME type and all subsequent packets, which are sent to the source of the
> HTTP GET request."
>
> Now lets look at HTTP request header. Go to http://web-sniffer.net/ and type
>
> http://www.web-apps.com/web-app/ in url field - here's the output :
>
>
> GET /web-app/ HTTP/1.1
> Host: www.web-apps.com
> Connection: close
> Accept-Encoding: gzip
> Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
> application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
> application/pdf, application/x-shockwave-flash, */*[CRLF]
> Accept-Language: en-us[CRLF]
>
> In the output the GET request field has only "/web-app/" which will be
> searched by "match http url" and host field has the FQDN will be searched
> by "match host" command. "Match mime" will also look in the get field,
> here's the output if you have logo.gif in the url it appears in the GET
> field
>
> GET /logo.gif HTTP/1.1
> GET /logo.gif HTTP/1.1
> Host: www.fake.com
> Connection: close
> Accept-Encoding: gzip
>
> I hope it helps.
>
> Sumit
>
>
> From: "Sean C"
> To: ; ;
>
> Sent: Saturday, June 04, 2005 10:08 AM
> Subject: Re: using NBAR to match web traffic
>
>
> > Hi Sumit,
> >
> > I appreciate the answer because I'm an admitted newbie on this - but what
> is
> > the difference then? Or, more specifically, what is the value of using
> the
> > 'match http host' command? I think I understand that 'match http host'
> will
> > just search the http header, and 'match http url' will look at the
> > requests - but I'm not sure why to use 'host' at all then.
> >
> > I tried a couple of googles but still don't see the value. Appreciate any
> > help offered,
> > Sean
> > ----- Original Message -----
> > From:
> > To: "Sam Joseph" ; ;
> > ;
> > Sent: Friday, June 03, 2005 8:23 PM
> > Subject: RE: using NBAR to match web traffic
> >
> >
> > > Remember "match http url' looks at the GET/PUT/TRACE etc. requests
> whereas
> > > "match http host" searches the host field in the http header.
> > >
> > > Google "http header" , lot of sites allow you to see the http header
> for
> > > any url. That will give a clear understanding.
> > >
> > > Sumit
> > > -------------- Original message --------------
> > >
> > >> How about this Config:
> > >>
> > >> class-map match-all WEB-APP
> > >> match protocol http host *www.web-based-app.com*
> > >> match protocol http url *webapp/*
> > >>
> > >> Thanks.
> > >>
> > >> >From: "ccie2be"
> > >> >Reply-To: "ccie2be"
> > >> >To: "'Stephen Fisher'" , "Group Study"
> > >> >
> > >> >Subject: RE: using NBAR to match web traffic
> > >> >Date: Fri, 3 Jun 2005 18:50:32 -0400
> > >> >
> > >> >Hey Steve,
> > >> >
> > >> >Actually, that missing * was a typo. I meant to include it.
> > >> >
> > >> >The reason I posted this question was because the IE Solution was
> > >> >different.
> > >> >
> > >> >This is the IE solution:
> > >> >
> > >> >class-map match-all WEB-APP
> > >> > match prot http host "www.web-based-app.com"
> > >> > match prot http url "webapp/*"
> > >> >
> > >> >
> > >> >As you can see, IE breaks it down into 2 match statements. And, I
> wanted
> > >> >to
> > >> >know if the way I thought of would work being that it's different from
> > >> >the
> > >> >IE Solution.
> > >> >
> > >> >I know that often there is more than 1 correct way to accomplish
> > >> >something
> > >> >but without knowing how to verify my config, I can't be sure if this
> is
> > >> >one
> > >> >of them.
> > >> >
> > >> >Thanks for getting back to me.
> > >> >
> > >> >-----Original Message-----
> > >> >From: Stephen Fisher [mailto:stephentfisher@yahoo.com]
> > >> >Sent: Friday, June 03, 2005 6:28 PM
> > >> >To: ccielab@groupstudy.com
> > >> >Cc: ccie2be
> > >> >Subject: Re: using NBAR to match web traffic
> > >> >
> > >> >On Fri, Jun 03, 2005 at 01:52:45PM -0400, ccie2be wrote:
> > >> >
> > >> > > I want to permit users to access only a web based application which
> > >> > > has a root directory of
> > >> > >
> > >> > > http://www.web-based-app.com/webapp/
> > >> > >
> > >> > > Will this work?
> > >> > >
> > >> > > class-map WEB-APP
> > >> > > match protocol http url "http://www.web-based-app.com/webapp/"
> > >> >
> > >> >My notes from practicing this topic say that you need to put wildcards
> > >> >or else it will match only what you specify for the URL field, so
> > >> >try this:
> > >> >
> > >> > match protocol http url "http://www.web-based-app.com/webapp/*"
> > >> >
> > >> >Although I could be wrong?
> > >> >
> > >> > > In the lab, if giving a similar fake url, is there any way to
> verify
> > >> > > my config is correct?
> > >> >
> > >> >I can't think of any other than knowing how it works before hand :(
> > >> >
> > >> >
> > >> >Steve
> > >> >
> > >>
> >_______________________________________________________________________
> > >> >Subscription information may be found at:
> > >> >http://www.groupstudy.com/list/CCIELab.html
> > >>
> > >> _________________________________________________________________
> > >> Express yourself instantly with MSN Messenger! Download today - it's
> > >> FREE!
> > >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > >>
> > >> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:40 GMT-3