Re: NBAR Not matching !

From: Bob Sinclair (bsin@cox.net)
Date: Sun Jun 05 2005 - 17:55:31 GMT-3


Piotr,

Your argument makes perfect sense. But have you tried it?

Please do not speculate. Do the lab!

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: Piotr Jelonek
  To: Bob Sinclair
  Cc: Scott Morris ; 'CCIE' ; 'Group Study'
  Sent: Sunday, June 05, 2005 4:48 PM
  Subject: Re: NBAR Not matching !

  On nie, cze 05, 2005 at 04:28:57 -0400, Bob Sinclair wrote:
> I have been able to get NBAR to match against the following class-map:
>
> Class Map match-all CIF (id 3)
> Match protocol http url "*cifs*"
>
> by telnetting to ubix.org 80, followed by: GET /cifs/NetBIOS.html
HTTP/1.0
> ENTER ENTER
>
> I noticed that a "drop" for this class seems to work inbound, but not
outbound
> (for the GET). Any tips on testing NBAR HTTP matches via telnet for lab
> purposes?

  Hi All.

  Are you not loosing something there ?
  I think when you telnet to port 80 and type on your keyboard "GET ..." it
works
  totally different than if you run your browser and request some address.

  If you telnet to port 80 and type "G" "E" "T" " " .... each character
  is send in separate packet. Just like I did (look at length of each
  packet):

  ...
  *Mar 4 11:10:35.913: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:35.913: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:35.913: TCP src=11030, dst=80, seq=2273826937,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:36.113: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:36.726: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:36.726: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:36.726: TCP src=11030, dst=80, seq=2273826938,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:36.927: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:37.095: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.099: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:37.099: TCP src=11030, dst=80, seq=2273826939,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:37.255: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.255: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  *Mar 4 11:10:37.255: TCP src=11030, dst=80, seq=2273826940,
ack=135567464, win=4128 ACK PSH
  *Mar 4 11:10:37.299: IP: tableid=0, s=150.2.1.1 (local), d=128.2.0.3
(Ethernet0/0), routed via RIB
  *Mar 4 11:10:37.440: IP: tableid=0, s=128.2.0.3 (Ethernet0/0), d=150.2.1.1
(Loopback0), routed via RIB
  *Mar 4 11:10:37.440: IP: s=128.2.0.3 (Ethernet0/0), d=150.2.1.1, len 41,
rcvd 4
  ..

  Do you think that NBAR will gather packets in some buffer and check each
request ?
  I don't think so.

  If you run your browser and type in some address, then hit ENTER - your
request
  is send in one packet - now NBAR has something to look in.

  Do you agree with me ?

  Regards,
  Piotr

  --
  piotr <at> jelonek <dot> info



This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3