Re: NBAR Not matching !

From: Piotr Jelonek (piotr@jelonek.info)
Date: Sun Jun 05 2005 - 17:48:19 GMT-3

• Next message: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Previous message: Bob Sinclair: "Re: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: Bob Sinclair: "Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On nie, cze 05, 2005 at 04:28:57 -0400, Bob Sinclair wrote:
> I have been able to get NBAR to match against the following class-map:
>
> Class Map match-all CIF (id 3)
> Match protocol http url "*cifs*"
>
> by telnetting to ubix.org 80, followed by: GET /cifs/NetBIOS.html HTTP/1.0
> ENTER ENTER
>
> I noticed that a "drop" for this class seems to work inbound, but not outbound
> (for the GET). Any tips on testing NBAR HTTP matches via telnet for lab
> purposes?

Hi All.

Are you not loosing something there ?
I think when you telnet to port 80 and type on your keyboard "GET ..." it works
totally different than if you run your browser and request some address.

If you telnet to port 80 and type "G" "E" "T" " " .... each character
is send in separate packet. Just like I did (look at length of each
packet):

...
*Mar 4 11:10:35.913: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB
*Mar 4 11:10:35.913: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:35.913: TCP src=11030, dst=80, seq=2273826937, ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:36.113: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3 (Ethernet0/0), routed via RIB
*Mar 4 11:10:36.726: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB
*Mar 4 11:10:36.726: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:36.726: TCP src=11030, dst=80, seq=2273826938, ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:36.927: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3 (Ethernet0/0), routed via RIB
*Mar 4 11:10:37.095: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB
*Mar 4 11:10:37.099: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:37.099: TCP src=11030, dst=80, seq=2273826939, ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:37.255: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB
*Mar 4 11:10:37.255: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
*Mar 4 11:10:37.255: TCP src=11030, dst=80, seq=2273826940, ack=135567464, win=4128 ACK PSH
*Mar 4 11:10:37.299: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3 (Ethernet0/0), routed via RIB
*Mar 4 11:10:37.440: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1 (Loopback0), routed via RIB
*Mar 4 11:10:37.440: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41, rcvd 4
..

Do you think that NBAR will gather packets in some buffer and check each request ?
I don't think so.

If you run your browser and type in some address, then hit ENTER - your request
is send in one packet - now NBAR has something to look in.

Do you agree with me ?

        Regards,
        Piotr

-- 
piotr <at> jelonek <dot> info

• Next message: gladston@br.ibm.com: "Re: Re: NBAR Not matching !"
• Previous message: Bob Sinclair: "Re: NBAR Not matching !"
• Maybe in reply to: CCIE: "NBAR Not matching !"
• Next in thread: Bob Sinclair: "Re: NBAR Not matching !"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3