RE: NBAR http matching

From: M S (michaelgstout@hotmail.com)
Date: Sun Jun 24 2007 - 21:10:24 ART

• Next message: M S: "RE: Port-Security and HSRP (Again !!!)"
• Previous message: Antonio Soares: "RE: Bandwith management on 802.1Q Subinterfaces."
• Maybe in reply to: malcolm.salmons@gmail.com: "NBAR http matching"
• Next in thread: Antonio Soares: "RE: NBAR http matching"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've been watching this discussion.
Can i get some input on the assumptions I make as they relate to this
document, please?
Thank you!

When matching by HOST is performed, NBAR performs a regular expression
match on the host field contents inside an HTTP GET packet and classifies
all packets from that host.

match protocol http host "abc.com" matches all packets comming FROM
abc.com. So, any policy that matches http host must be an inbound policy.
class-map HOSTS
match protocol http host "abc.com"
policy-map HTTP-FILTERS
class HOSTS
!
interface Serial0/0
service input HTTP-FILTERS
description abc is outside of my network over this seriallink

When matching by URL is performed, NBAR recognizes the HTTP GET packets
containing the URL, and then matches all packets that are part of the
HTTP GET request. When specifying a URL for classification, include only
the portion of the URL following www.hostname.domain in the match
statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only
/latest/whatsnew.html.

match protocol http url is not confined to any specific direction. If a
port 80 packet contains a get statement, NBAR will parse the string for a
match based on the regular experession.
class-map URL
match protocol http url "*/new/*"
policy-map BLOCK-URL
class URL
drop

Now, if i want to use both toghether I will have to use nested
policy-maps

policy-map HTTP-FILTERS
class HOSTS
service-policy BLOCK-URL
!

interface Serial0/0
service input HTTP-FILTERS

This policy will allow the requests to abc.com to leave the site, but
packets directed to the news directory will be dropped.

  --------------------------------------------------------------------

  From: malcolm.salmons@gmail.com
  Reply-To: malcolm.salmons@gmail.com
  To: ccielab@groupstudy.com
  Subject: NBAR http matching
  Date: Sun, 10 Jun 2007 16:30:26 -0400
  Hi

  I'm having a few problems detemining the difference between match
  protocol http host, url and mime and how to apply them to practical
  examples. For example if I wanted to match traffic for a particular
  directory for a specific website, e.g. www.abc.com/news

  How would I go about matching this?

  Would it be:

  class-map match-all web-directory
  match protocol http host "www.abc.com"
  match protocol http url "/news/"

  Or am I way off the mark here?

  Any help would be greatly appreciated.

  Thanks

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

------------------------------------------------------------------------

Hotmail to go? Get your Hotmail, news, sports and much more!

• Next message: M S: "RE: Port-Security and HSRP (Again !!!)"
• Previous message: Antonio Soares: "RE: Bandwith management on 802.1Q Subinterfaces."
• Maybe in reply to: malcolm.salmons@gmail.com: "NBAR http matching"
• Next in thread: Antonio Soares: "RE: NBAR http matching"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:51 ART