From: anthony.sequeira@thomson.com
Date: Thu Jun 28 2007 - 18:25:40 ART
I bet someone has a quick test for this - but for me, it's an example of
one where I would double-check the config for verification, and then
just take it on faith.
Some things you will just not be able to (or have time to) verify!
Anthony J. Sequeira
#15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Cecil Wilson
Sent: Thursday, June 28, 2007 4:03 PM
To: Antonio Soares; M S; malcolm.salmons@gmail.com
Cc: ccielab@groupstudy.com
Subject: RE: NBAR http matching
Hello GS
does anyone have any suggestion on how to test for url match in a
lab enviroment?
What is a good test ? For example if you are using a Cisco router
as a web server, how do I config to make it responde to http request?
Thanks for all input
Cecil G. Wilson
IT Network Services
Office: (901) 215-2710
Cell: (901) 601-6201
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Monday, June 25, 2007 2:43 PM
To: 'M S'; malcolm.salmons@gmail.com
Subject: RE: NBAR http matching
I noticed that if we want to match a host running on a non-default port,
let's say 8080, we must include this in the match statement. In the
example bellow, my web server (a cisco router) is running on port 8080:
!
class-map match-all http-host-port8080
match protocol http host "12.12.12.2:8080"
class-map match-all http-host-port80
match protocol http host "12.12.12.2"
class-map match-all http-gif
match protocol http url "*.gif"
class-map match-all http-url
match protocol http url "*exec*"
!
!
policy-map qos
class http-url
class http-gif
class http-host-port80
class http-host-port8080
!
!
!
!
R1#sh policy-map interface
FastEthernet0/0
Service-policy input: qos
Class-map: http-url (match-all)
124 packets, 10918 bytes
5 minute offered rate 0 bps
Match: protocol http url "*exec*"
Class-map: http-gif (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: protocol http url "*.gif"
Class-map: http-host-port80 (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps
Match: protocol http host "12.12.12.2"
Class-map: http-host-port8080 (match-all)
51 packets, 5900 bytes
5 minute offered rate 0 bps
Match: protocol http host "12.12.12.2:8080"
Class-map: class-default (match-any)
669 packets, 320813 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: any
R1#
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: segunda-feira, 25 de Junho de 2007 3:15
To: 'M S'; malcolm.salmons@gmail.com
Subject: RE: NBAR http matching
Something interesting that i want to add to this discussion:
I captured my traffic when opening the DocCD and what i got:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1st GET Packet:
URL=/univercd/home/home.htm
Host=www.cisco.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frame 6 (477 bytes on wire, 477 bytes captured) Ethernet II, Src:
00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst:
198.133.219.25
(198.133.219.25)
Transmission Control Protocol, Src Port: 3548 (3548), Dst Port: 80 (80),
Seq: 1, Ack: 1, Len: 423
Hypertext Transfer Protocol
GET /univercd/home/home.htm HTTP/1.1\r\n
Request Method: GET
Request URI: /univercd/home/home.htm
Request Version: HTTP/1.1
Accept: */*\r\n
Accept-Language: pt\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
If-Modified-Since: Tue, 19 Jun 2007 18:44:38 GMT\r\n
If-None-Match: "850a"\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
Host: www.cisco.com\r\n
Connection: Keep-Alive\r\n
Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
\r\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2nd GET Packet:
URL=/univercd/cc/lib/splash.gif
Host=www.cisco.com
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Frame 19 (535 bytes on wire, 535 bytes captured) Ethernet II, Src:
00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst:
198.133.219.25
(198.133.219.25)
Transmission Control Protocol, Src Port: 3549 (3549), Dst Port: 80 (80),
Seq: 1, Ack: 1, Len: 481
Hypertext Transfer Protocol
GET /univercd/cc/lib/splash.gif HTTP/1.1\r\n
Request Method: GET
Request URI: /univercd/cc/lib/splash.gif
Request Version: HTTP/1.1
Accept: */*\r\n
Referer: http://www.cisco.com/univercd/home/home.htm\r\n
Accept-Language: pt\r\n
UA-CPU: x86\r\n
Accept-Encoding: gzip, deflate\r\n
If-Modified-Since: Tue, 19 Jun 2007 20:21:18 GMT\r\n
If-None-Match: "1119"\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
Host: www.cisco.com\r\n
Connection: Keep-Alive\r\n
Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
\r\n
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
So the Match protocol http actually matches the HTTP GET Packets.
The GET Packets are sent from the client to the server only.
So i think any policy can be applied inbound or outbound depending where
the clients are and what we are asked to do.
A common question i saw several times is how to block images. Here we
may use wildcards to match the URL containing the image file.
For example, if i want to block any .gif, i would do:
!
class-map match-all http-images
match protocol http url "*.gif"
!
!
policy-map qos
class http-images
drop
!
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
M S
Sent: segunda-feira, 25 de Junho de 2007 1:10
Subject: RE: NBAR http matching
I've been watching this discussion.
Can i get some input on the assumptions I make as they relate to this
document, please?
Thank you!
When matching by HOST is performed, NBAR performs a regular expression
match on the host field contents inside an HTTP GET packet and
classifies all packets from that host.
match protocol http host "abc.com" matches all packets comming FROM
abc.com.
So, any policy that matches http host must be an inbound policy.
class-map HOSTS
match protocol http host "abc.com"
policy-map HTTP-FILTERS
class HOSTS
!
interface Serial0/0
service input HTTP-FILTERS
description abc is outside of my network over this seriallink
When matching by URL is performed, NBAR recognizes the HTTP GET packets
containing the URL, and then matches all packets that are part of the
HTTP GET request. When specifying a URL for classification, include only
the portion of the URL following www.hostname.domain in the match
statement. For example, in the URL
www.anydomain.com/latest/whatsnew.html, include only
/latest/whatsnew.html.
match protocol http url is not confined to any specific direction. If a
port 80 packet contains a get statement, NBAR will parse the string for
a match based on the regular experession.
class-map URL
match protocol http url "*/new/*"
policy-map BLOCK-URL
class URL
drop
Now, if i want to use both toghether I will have to use nested
policy-maps
policy-map HTTP-FILTERS
class HOSTS
service-policy BLOCK-URL
!
interface Serial0/0
service input HTTP-FILTERS
This policy will allow the requests to abc.com to leave the site, but
packets directed to the news directory will be dropped.
--------------------------------------------------------------------
From: malcolm.salmons@gmail.com
Reply-To: malcolm.salmons@gmail.com
Subject: NBAR http matching
Date: Sun, 10 Jun 2007 16:30:26 -0400
Hi
I'm having a few problems detemining the difference between match
protocol http host, url and mime and how to apply them to practical
examples. For example if I wanted to match traffic for a particular
directory for a specific website, e.g. www.abc.com/news
How would I go about matching this?
Would it be:
class-map match-all web-directory
match protocol http host "www.abc.com"
match protocol http url "/news/"
Or am I way off the mark here?
Any help would be greatly appreciated.
Thanks
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART