From: Schulz, Dave (DSchulz@dpsciences.com)
Date: Fri Nov 11 2005 - 01:18:36 GMT-3
I have used the " " with the mime type, but not necessarily with the URL
extension. I didn't realize that the quotes are used with the url and that
would work. Here is the excerpt from the doc CD with some examples.....
Dave (docCD exerpt from here).....
Usage Guidelines
In Cisco IOS Release 12.3(4)T, the NBAR Extended Inspection for HTTP Traffic
feature was introduced. This feature allows NBAR to scan TCP ports that are
not well-known and identify HTTP traffic traversing these ports. This feature
is enabled automatically when a service policy containing the match protocol
http command is attached to an interface.
When matching by MIME type, the MIME type can contain any user-specified text
string. Refer to the following web page for the IANA-registered MIME types:
ftp://ftp.isi.edu/in-notes/iana/assignments/media-types/media-types
When matching by MIME type, NBAR matches a packet containing the MIME type and
all subsequent packets until the next HTTP transaction.
When matching by host, NBAR performs a regular expression match on the host
field contents inside the HTTP packet and classifies all packets from that
host.
HTTP URL matching supports GET, PUT, HEAD, POST, DELETE, and TRACE. When
matching by URL, NBAR recognizes the HTTP packets containing the URL, and then
matches all packets that are part of the HTTP request. When specifying a URL
for classification, include only the portion of the URL following
www.hostname.domain in the match statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only /latest/whatsnew.html.
To match the www.anydomain.com portion, use the host name matching feature.
The URL or host specification strings can take the form of a regular
expression with the following options:
Option Description
*
Match any zero or more characters in this position.
?
Match any one character in this position.
|
Match one of a choice of characters.
(|)
Match one of a choice of characters in a range. For example foo.(gif | jpg)
matches either foo.gif or foo.jpg.
[ ]
Match any character in the range specified, or one of the special characters.
For example, [0-9] is all of the digits. [*] is the "*" character and [[] is
the "[" character.
Examples
The following example classifies, within class map foo, HTTP packets based on
any URL containing the string whatsnew/latest followed by zero or more
characters:
class-map foo
match protocol http url whatsnew/latest*
The following example classifies, within class map foo, packets based on any
host name containing the string cisco followed by zero or more characters:
class-map foo
match protocol http host cisco*
The following example classifies, within class map foo, packets based on the
JPEG MIME type:
class-map foo
match protocol http mime "*jpeg"
-----Original Message-----
From: nobody@groupstudy.com
To: 'Roberto Fernandez'; ccielab@groupstudy.com
Sent: 11/10/2005 9:32 PM
Subject: RE: Question on NBAR syntax
I have worked with #1 and it works like a charm. I don't think
the
others will work, but I don't think I've tried them.
Sincerely,
Dennis Hartmann
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Roberto Fernandez
Sent: Thursday, November 10, 2005 7:54 PM
To: ccielab@groupstudy.com
Subject: Question on NBAR syntax
Friends,
Which is the right syntax? Command reference is a little bit imprecise
I want to match URLs containing root.exe
1- match protocol http URL "*root.exe*"
2- match protocol http URL *root.exe*
3- match protocol http URL root.exe
Best Regards,
Roberto
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3