From: ccie2be (ccie2be@nyc.rr.com)
Date: Tue Jul 26 2005 - 14:51:31 GMT-3
I think you need to add parentheses around the string you want to match
against. Have you tried that?
I would also recommend that you fully understand and practice using the mime
option and know the difference between what needs to be done if you're asked
to act upon jpg's or mpeg's or gif's.
I had a detailed discussion on just this topic with Scott Morris several
months ago. Check the archives for details. But, in essence, by aware of
this subtle distinction.
Do you want to match against something EMBEDDED within the http page? If so,
you use the mime type option.
Do you want to match against a FILE on a HTTP server? If so, you use the
url option.
What's confusing if, like me, you don't have a background in http
programming is that at first glance, it seems impossible to know if you need
to match against a file or embedded file type. But, it is, in fact,
possible. Here's the key:
LOOK FOR A PERIOD. For example, if you have to match against ".jpg" because
of the period in front of "jpg", you know that this is referring to a file
extension, not a mime type. On the other hand, if there's no period, you're
dealing with an embedded file and should use the mime type option.
I would also recommend that you make a habit of explicitly entering the
match-any or match-all keyword. The reason for this is to constantly remind
yourself that these 2 options exist. I learned this the hard way. I was
trying to match against jpg's, jpeg's or mpeg and because I forgot about the
match-any option, I was trying to use the pipe symbol for regular
expressions and having a hell of time making it work.
HTH, Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edwards, Andrew M
Sent: Tuesday, July 26, 2005 1:15 PM
To: ccielab@groupstudy.com
Subject: Re: NBAR question
So I've started REALLY messing with the NBAR for Qos/Security issues and
have a few questions specific to match protocol http and its
sub-options.
Regarding the "host" option.
I have had no luck getting the CCO documentation to work as specified.
Surprised? I'm not.
Anyhow, it seems that you MUST use regular expressions with the host
option to match on a FQDN ONLY.
As an example, I have not gotten the following doccd example to match:
Match protocol http host cisco*
According to the docCD this would match on any hostname that starts with
cisco followed by zero or more characters.
However, I have tried this with the host parameter, gone to
www.cisco.com and not had any matches.
I only got a match when I did this:
Match protocol http host *.cisco.com
This matches any subdomain of cisco.com; such as newsroom.cisco.com;
support.cisco.com; etc.
Or
Match protocol http host *cisco.com
In addition to subdomain matching as stated above, matches on
majordomain levels where zero or more characters preceed cisco.com.
Examples would be ddcisco.com or www.ddcisco.com, etc.
Or
Match protocol http host *.cisco.*
This matches just like *.cisco.com. But also matches on *.cisco.net,
*.cisco.org, *.cisco.<add anything including null string>
As for the URL option, I have not gotten the doccd example to be
successful either.
class-map class1
match protocol http url whatsnew/latest*
I only got a match when I did this:
Match protocol http url /univercd/home/home.htm
This is an exact match following the FQDN.
I also did this and got a match:
Match protocol http url /univercd/*
Basically anthing on the univercd matches.
So I did a few more checks and it looks like the URL portion is only
matching on the portion after the FQDN.
--------------------
So in summary, what I've seen is this; and please someone interject if
they have seen differently.
For the HOST option, match protocol http matches only on the host
portion of the URL with the use of regular expressions to match.
For the URL option, match protocol http does not match on the host
portion of the URL, but instead matches on everything following the host
portion in the URL with the use of regular expressions to match.
Anyone else messed with this enough to care or comment?
This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:31 GMT-3