From: WorkerBee (ciscobee@gmail.com)
Date: Thu Jun 28 2007 - 21:18:50 ART
Read this link, it explicitly mentioned the direction flow of the
requestor and the
position on the nbar router doing the protocol inspection. It is the
HTTP response
that is being classified.
Classification of HTTP Traffic by URL, Host, or MIME
On 6/29/07, Antonio Soares <amsoares@netcabo.pt> wrote:
> Almost... I don't understand why i'm able to match the host but not the url
> even with a "*". Here's what you can do only with routers:
>
> Setup:
> ++++++
> Web Client---Router---Web Server
>
> Router acting as Web Client:
> ++++++++++++++++++++++++++++
> !
> no ip routing
> !
> interface FastEthernet0/0
> ip address 12.12.12.1 255.255.255.0
> !
> ip default-gateway 12.12.12.2
> !
> ip http client username cisco
> ip http client password 0 cisco
> !
>
> Router with Policies:
> +++++++++++++++++++++
> !
> class-map match-all http-host
> match protocol http host "23.23.23.3"
> class-map match-all http-url
> match protocol http url "*"
> !
> !
> policy-map qos
> class http-host
> class http-url
> !
> interface FastEthernet0/0
> ip address 12.12.12.2 255.255.255.0
> service-policy input qos
> !
> interface FastEthernet0/1
> ip address 23.23.23.2 255.255.255.0
> service-policy input qos
> !
>
> Router acting as Web Server:
> ++++++++++++++++++++++++++++
> !
> no ip routing
> !
> username cisco privilege 15 password 0 cisco
> !
> interface FastEthernet0/1
> ip address 23.23.23.3 255.255.255.0
> !
> ip default-gateway 23.23.23.2
> !
> !
> ip http server
> ip http authentication local
> ip http path flash:
> !
>
> The http transfer:
> ++++++++++++++++++
> CLIENT#copy http: null:
> Address or name of remote host [23.23.23.3]?
> Source filename [web-confg]?
> Loading http://23.23.23.3/web-confg !
> 755 bytes copied in 0.684 secs (1104 bytes/sec)
> CLIENT#
>
> The outputs:
> ++++++++++++++++++
> ROUTER#sh policy-map inter
> FastEthernet0/0
>
> Service-policy input: qos
>
> Class-map: http-host (match-all)
> 24 packets, 1912 bytes
> 5 minute offered rate 0 bps
> Match: protocol http host "23.23.23.3"
>
> Class-map: http-url (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps
> Match: protocol http url "*"
>
> Class-map: class-default (match-any)
> 6 packets, 360 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> FastEthernet0/1
>
> Service-policy input: qos
>
> Class-map: http-host (match-all)
> 12 packets, 3735 bytes
> 5 minute offered rate 0 bps
> Match: protocol http host "23.23.23.3"
>
> Class-map: http-url (match-all)
> 0 packets, 0 bytes
> 5 minute offered rate 0 bps
> Match: protocol http url "*"
>
> Class-map: class-default (match-any)
> 6 packets, 360 bytes
> 5 minute offered rate 0 bps, drop rate 0 bps
> Match: any
> ROUTER#
>
>
> -----Original Message-----
> From: Cecil Wilson [mailto:Cecil.Wilson@flextronics.com]
> Sent: quinta-feira, 28 de Junho de 2007 21:03
> To: Antonio Soares; M S; malcolm.salmons@gmail.com
> Cc: ccielab@groupstudy.com
> Subject: RE: NBAR http matching
>
> Hello GS
>
> does anyone have any suggestion on how to test for url match in a
>
> lab enviroment?
>
> What is a good test ? For example if you are using a Cisco router
>
> as a web server, how do I config to make it responde to http request?
>
>
>
> Thanks for all input
>
>
>
>
>
> Cecil G. Wilson
>
> IT Network Services
>
> Office: (901) 215-2710
>
> Cell: (901) 601-6201
>
> cecil.wilson@flextronics.com
>
>
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> Antonio Soares
>
> Sent: Monday, June 25, 2007 2:43 PM
>
> To: 'M S'; malcolm.salmons@gmail.com
>
> Cc: ccielab@groupstudy.com
>
> Subject: RE: NBAR http matching
>
>
>
> I noticed that if we want to match a host running on a non-default port,
>
> let's say 8080, we must include this in the match statement. In the
>
> example bellow, my web server (a cisco router) is running on port 8080:
>
>
>
> !
>
> class-map match-all http-host-port8080
>
> match protocol http host "12.12.12.2:8080"
>
> class-map match-all http-host-port80
>
> match protocol http host "12.12.12.2"
>
> class-map match-all http-gif
>
> match protocol http url "*.gif"
>
> class-map match-all http-url
>
> match protocol http url "*exec*"
>
> !
>
> !
>
> policy-map qos
>
> class http-url
>
> class http-gif
>
> class http-host-port80
>
> class http-host-port8080
>
> !
>
> !
>
> !
>
> !
>
>
>
> R1#sh policy-map interface
>
> FastEthernet0/0
>
>
>
> Service-policy input: qos
>
>
>
> Class-map: http-url (match-all)
>
> 124 packets, 10918 bytes
>
> 5 minute offered rate 0 bps
>
> Match: protocol http url "*exec*"
>
>
>
> Class-map: http-gif (match-all)
>
> 0 packets, 0 bytes
>
> 5 minute offered rate 0 bps
>
> Match: protocol http url "*.gif"
>
>
>
> Class-map: http-host-port80 (match-all)
>
> 0 packets, 0 bytes
>
> 5 minute offered rate 0 bps
>
> Match: protocol http host "12.12.12.2"
>
>
>
> Class-map: http-host-port8080 (match-all)
>
> 51 packets, 5900 bytes
>
> 5 minute offered rate 0 bps
>
> Match: protocol http host "12.12.12.2:8080"
>
>
>
> Class-map: class-default (match-any)
>
> 669 packets, 320813 bytes
>
> 5 minute offered rate 0 bps, drop rate 0 bps
>
> Match: any
>
> R1#
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> Antonio Soares
>
> Sent: segunda-feira, 25 de Junho de 2007 3:15
>
> To: 'M S'; malcolm.salmons@gmail.com
>
> Cc: ccielab@groupstudy.com
>
> Subject: RE: NBAR http matching
>
>
>
> Something interesting that i want to add to this discussion:
>
>
>
> I captured my traffic when opening the DocCD and what i got:
>
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> 1st GET Packet:
>
> URL=/univercd/home/home.htm
>
> Host=www.cisco.com
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Frame 6 (477 bytes on wire, 477 bytes captured) Ethernet II, Src:
>
> 00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
>
> 00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
>
> Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst:
>
> 198.133.219.25
>
> (198.133.219.25)
>
> Transmission Control Protocol, Src Port: 3548 (3548), Dst Port: 80 (80),
>
> Seq: 1, Ack: 1, Len: 423
>
> Hypertext Transfer Protocol
>
> GET /univercd/home/home.htm HTTP/1.1\r\n
>
> Request Method: GET
>
> Request URI: /univercd/home/home.htm
>
> Request Version: HTTP/1.1
>
> Accept: */*\r\n
>
> Accept-Language: pt\r\n
>
> UA-CPU: x86\r\n
>
> Accept-Encoding: gzip, deflate\r\n
>
> If-Modified-Since: Tue, 19 Jun 2007 18:44:38 GMT\r\n
>
> If-None-Match: "850a"\r\n
>
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
>
> CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
>
> Host: www.cisco.com\r\n
>
> Connection: Keep-Alive\r\n
>
> Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
>
> \r\n
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> 2nd GET Packet:
>
> URL=/univercd/cc/lib/splash.gif
>
> Host=www.cisco.com
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> Frame 19 (535 bytes on wire, 535 bytes captured) Ethernet II, Src:
>
> 00:19:d2:06:f8:cd (00:19:d2:06:f8:cd), Dst:
>
> 00:18:39:bc:46:b0 (00:18:39:bc:46:b0)
>
> Internet Protocol, Src: 192.168.1.100 (192.168.1.100), Dst:
>
> 198.133.219.25
>
> (198.133.219.25)
>
> Transmission Control Protocol, Src Port: 3549 (3549), Dst Port: 80 (80),
>
> Seq: 1, Ack: 1, Len: 481
>
> Hypertext Transfer Protocol
>
> GET /univercd/cc/lib/splash.gif HTTP/1.1\r\n
>
> Request Method: GET
>
> Request URI: /univercd/cc/lib/splash.gif
>
> Request Version: HTTP/1.1
>
> Accept: */*\r\n
>
> Referer: http://www.cisco.com/univercd/home/home.htm\r\n
>
> Accept-Language: pt\r\n
>
> UA-CPU: x86\r\n
>
> Accept-Encoding: gzip, deflate\r\n
>
> If-Modified-Since: Tue, 19 Jun 2007 20:21:18 GMT\r\n
>
> If-None-Match: "1119"\r\n
>
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
>
> CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.1)\r\n
>
> Host: www.cisco.com\r\n
>
> Connection: Keep-Alive\r\n
>
> Cookie: CP_GUTC=213.164.58.13.1182692844447933\r\n
>
> \r\n
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
>
> So the Match protocol http actually matches the HTTP GET Packets.
>
>
>
> The GET Packets are sent from the client to the server only.
>
>
>
> So i think any policy can be applied inbound or outbound depending where
>
> the clients are and what we are asked to do.
>
>
>
> A common question i saw several times is how to block images. Here we
>
> may use wildcards to match the URL containing the image file.
>
>
>
> For example, if i want to block any .gif, i would do:
>
>
>
> !
>
> class-map match-all http-images
>
> match protocol http url "*.gif"
>
> !
>
> !
>
> policy-map qos
>
> class http-images
>
> drop
>
> !
>
>
>
> -----Original Message-----
>
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>
> M S
>
> Sent: segunda-feira, 25 de Junho de 2007 1:10
>
> To: malcolm.salmons@gmail.com
>
> Cc: ccielab@groupstudy.com
>
> Subject: RE: NBAR http matching
>
>
>
> I've been watching this discussion.
>
> Can i get some input on the assumptions I make as they relate to this
>
> document, please?
>
> Thank you!
>
>
>
> When matching by HOST is performed, NBAR performs a regular expression
>
> match on the host field contents inside an HTTP GET packet and
>
> classifies all packets from that host.
>
>
>
> match protocol http host "abc.com" matches all packets comming FROM
>
> abc.com.
>
> So, any policy that matches http host must be an inbound policy.
>
> class-map HOSTS
>
> match protocol http host "abc.com"
>
> policy-map HTTP-FILTERS
>
> class HOSTS
>
> !
>
> interface Serial0/0
>
> service input HTTP-FILTERS
>
> description abc is outside of my network over this seriallink
>
>
>
> When matching by URL is performed, NBAR recognizes the HTTP GET packets
>
> containing the URL, and then matches all packets that are part of the
>
> HTTP GET request. When specifying a URL for classification, include only
>
> the portion of the URL following www.hostname.domain in the match
>
> statement. For example, in the URL
>
> www.anydomain.com/latest/whatsnew.html, include only
>
> /latest/whatsnew.html.
>
>
>
> match protocol http url is not confined to any specific direction. If a
>
> port 80 packet contains a get statement, NBAR will parse the string for
>
> a match based on the regular experession.
>
> class-map URL
>
> match protocol http url "*/new/*"
>
> policy-map BLOCK-URL
>
> class URL
>
> drop
>
>
>
> Now, if i want to use both toghether I will have to use nested
>
> policy-maps
>
>
>
> policy-map HTTP-FILTERS
>
> class HOSTS
>
> service-policy BLOCK-URL
>
> !
>
>
>
> interface Serial0/0
>
> service input HTTP-FILTERS
>
>
>
> This policy will allow the requests to abc.com to leave the site, but
>
> packets directed to the news directory will be dropped.
>
>
>
> --------------------------------------------------------------------
>
>
>
> From: malcolm.salmons@gmail.com
>
> Reply-To: malcolm.salmons@gmail.com
>
> To: ccielab@groupstudy.com
>
> Subject: NBAR http matching
>
> Date: Sun, 10 Jun 2007 16:30:26 -0400
>
> Hi
>
>
>
> I'm having a few problems detemining the difference between match
>
> protocol http host, url and mime and how to apply them to practical
>
> examples. For example if I wanted to match traffic for a particular
>
> directory for a specific website, e.g. www.abc.com/news
>
>
>
> How would I go about matching this?
>
>
>
> Would it be:
>
>
>
> class-map match-all web-directory
>
> match protocol http host "www.abc.com"
>
> match protocol http url "/news/"
>
>
>
> Or am I way off the mark here?
>
>
>
> Any help would be greatly appreciated.
>
>
>
> Thanks
>
>
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> ------------------------------------------------------------------------
>
>
>
> Hotmail to go? Get your Hotmail, news, sports and much more!
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
> _______________________________________________________________________
>
> Subscription information may be found at:
>
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> Legal Disclaimer:
>
> The information contained in this message may be privileged and
> confidential. It is intended to be read only by the individual or entity to
> whom it is addressed or by their designee. If the reader of this message is
> not the intended recipient, you are on notice that any distribution of this
> message, in any form, is strictly prohibited. If you have received this
> message in error, please immediately notify the sender and delete or destroy
> any copy of this message
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:52 ART