Matching SQL with NBAR

From: allboutcisco (frenzeus@streamyx.com)
Date: Sun May 07 2006 - 01:31:27 ART

• Next message: Subhash P: "Monitor Session"
• Previous message: Scott Morris: "RE: Trouble shooting questions in the lab exam !!"
• Next in thread: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Maybe reply: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Maybe reply: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi group,

Was working through IEWBv3 Lab 15, Task9.1; where the task is to match on SQL Slammer worm in particular packets with size of 404 byte destined for UDP port 1434. So i did a check from Doc cd (& also a show ip nbar port) & noticed that the nbar is matching sqlserver on TCP port 1433. So instead of matching directly (as per solution guide) protocol sqlserver, i did a custom mapping with "custom-01" to UDP port 1434. Would it be right to do it this way?

Since if i use "protocol sqlserver" directly, it matches sql packets to TCP port 1433, would it still match the SQL slammer which instead uses UDP port 1434 (as given in the task)?

ip nbar port-map custom-01 udp 1434
!
class-map match-all SQLWORM
 match protocol custom-01
 match packet length min 404 max 404
!
policy-map TASK9.1
 class SQLWORM
   drop
!

Would this be correct? Thanks everyone in advance.

Cheers,
Kenny

• Next message: Subhash P: "Monitor Session"
• Previous message: Scott Morris: "RE: Trouble shooting questions in the lab exam !!"
• Next in thread: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Maybe reply: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Maybe reply: Akaradeth.N@datacraft-asia.com: "RE: Matching SQL with NBAR"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART