From: Akaradeth.N@datacraft-asia.com
Date: Mon May 08 2006 - 02:57:24 ART
At my first try, I did it like your way, and I think this way is correct, it
is another way for us who don't know that the "protocol sqlserver" is UDP
port 1434.
It is a good posting to let us know a good option for us, I think.
Akaradeth
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]
Sent: Sunday, May 07, 2006 11:31 AM
To: Cisco certification
Subject: Matching SQL with NBAR
Hi group,
Was working through IEWBv3 Lab 15, Task9.1; where the task is to match on
SQL Slammer worm in particular packets with size of 404 byte destined for
UDP port 1434. So i did a check from Doc cd (& also a show ip nbar port) &
noticed that the nbar is matching sqlserver on TCP port 1433. So instead of
matching directly (as per solution guide) protocol sqlserver, i did a custom
mapping with "custom-01" to UDP port 1434. Would it be right to do it this
way?
Since if i use "protocol sqlserver" directly, it matches sql packets to TCP
port 1433, would it still match the SQL slammer which instead uses UDP port
1434 (as given in the task)?
ip nbar port-map custom-01 udp 1434
!
class-map match-all SQLWORM
match protocol custom-01
match packet length min 404 max 404
!
policy-map TASK9.1
class SQLWORM
drop
!
Would this be correct? Thanks everyone in advance.
Cheers,
Kenny
This archive was generated by hypermail 2.1.4 : Thu Jun 01 2006 - 06:33:21 ART