Re: NBAR and Dynamips // SOLVED but is strange!

From: omar parihuana (omar.parihuana@gmail.com)
Date: Sun Jul 13 2008 - 23:41:13 ART

Hi Luca,

Thanks for the explanation!!! Great!! now I can continue with next task...

Rgds.

On Sun, Jul 13, 2008 at 9:31 PM, Luca Hall <lhall@setnine.com> wrote:

>
> it works on out because it matches the http get request
> from the client to the server, if you watch the http headers
> you can see the match - there's no way it could match on the
> way back because the string (*.gif) you're matching isn't there.
>
> you can test (ex. image is http://www.someserver.com/image.gif):
>
> lhall@pathogen:~$ telnet www.someserver.com 80
> Connected to www.someserver.com.
> Escape character is '^]'.
>
> /*
> * type this GET ... to simulate http client request
> * this is the match of string image.gif
> */
>
> GET /image.gif HTTP/1.0<hit enter twice>
>
> /*
> * these are the headers you get back from the server
> * that cannot match because theres no *.gif string returned
> */
>
> HTTP/1.1 200 OK
> Date: Mon, 14 Jul 2008 01:57:38 GMT
> Server: Apache
> Last-Modified: Mon, 02 Apr 2007 13:36:44 GMT
> ETag: "649b310e65a61217f40064b17751d1177a9a43da"
> Accept-Ranges: bytes
> Content-Length: 8385
> Connection: close
> Content-Type: image/gif
>
>
> <image data>
>
>
>
> ----- Original Message -----
> From: omar parihuana <omar.parihuana@gmail.com>
> To: Hobbs <deadheadblues@gmail.com>
> Cc: Ramy Sisy <ramysisy@inspiredmaster.com>, Cisco certification <
> ccielab@groupstudy.com>
> Sent: Sun, 13 Jul 2008 21:45:30 -0400 (EDT)
> Subject: Re: NBAR and Dynamips // SOLVED but is strange!
>
> Hi Folks,
>
> Thanks you for your suggestions!
>
> I changed the service-policy order from input to output and the filter
> works
> fine now!!! however, I don't understand well, why works with output service
> policy but not with input, since that connection is requested from client
> in
> accordance to pic:
>
> (R1) ---- (R4)-s0/1------------------(R5)
>
> R5: HTTP Server (IP Address 150.1.5.5)
> R1: Client
> In R4 in serial interface
> R4#sh run int s0/1
> Building configuration...
>
> Current configuration : 158 bytes
> !
> interface Serial0/1
> ip address 155.1.45.4 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> clock rate 2000000
> service-policy output DROP_IMAGES
> end
>
> R4#
>
> !
> ! R4
> !
> class-map match-any IMAGES
> match protocol http url "*.gif"
> !
> !
> policy-map DROP_IMAGES
> class IMAGES
> drop
> !
> !
> !
> !
>
> R1#copy http://150.1.5.5/test.gif null:
> %Error opening http://150.1.5.5/test.gif (I/O error)
>
>
> Rgds.
>
> On Sun, Jul 13, 2008 at 7:52 PM, Hobbs <deadheadblues@gmail.com> wrote:
>
> > a good way to test is to copy running-config to something like this on
> your
> > http "server" router:
> >
> > R4#copy running-config config.jpeg
> > Destination filename [config.jpeg]?
> > Erase flash: before copying? [confirm]n
> > Verifying checksum... OK (0x42CD)
> > 1648 bytes copied in 4.180 secs (394 bytes/sec)
> > R4#
> > R4#conf t
> > Enter configuration commands, one per line. End with CNTL/Z.
> > R4(config)#ip http server
> > R4(config)#ip http path flash://
> >
> > Then on R6, the client:
> >
> > R6#copy http://172.14.45.4/config.jpeg flash://config.jpeg
> > Destination filename [config.jpeg]?
> > Erase flash: before copying? [confirm]
> > Erasing the flash filesystem will remove all files! Continue? [confirm]n
> > Loading http://172.14.45.4/config.jpeg !
> > Verifying checksum... OK (0x42CD)
> > 1648 bytes copied in 0.404 secs (4079 bytes/sec)
> > R6#
> >
> > You could have a middle router, say R5 with the NBAR MQC policies that
> > filters out jpeg, gif extensions, etc.
> >
> >
> > On Sun, Jul 13, 2008 at 2:21 PM, Ramy Sisy <ramysisy@inspiredmaster.com>
> > wrote:
> >
> >> Hi Omar,
> >> How could you test it?
> >> Are you requesting any image files with the right path direction to
> >> trigger
> >> the filter?
> >>
> >>
> >> BEST REGARDS,
> >>
> >> RAMY SISY, CCIE X 2 (SECURITY, ROUTING/SWITCHING)#17321, CCSI#30417
> >> CCIE PROGRAM MANAGER
> >>
> >> INSPIRED MASTER
> >> INSPIRING CREATIVE THINKING ....
> >>
> >> WWW.INSPIREDMASTER.COM
> >> E. RAMYSISY@INSPIREDMASTER.COM
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> >> omar
> >> parihuana
> >> Sent: Sunday, July 13, 2008 12:26 PM
> >> To: Cisco certification
> >> Subject: NBAR and Dynamips
> >>
> >> Hi List,
> >>
> >> I'm using Dynamips for replicate the labs of Internetwork Expert Vol I
> >> v4.1.
> >> I have an issue with Security part, specifically: Using NBAR to Filter
> >> Traffic, the labs is very simple, but is not working with my
> >> Dynagen/Dynamips. my questions is NBAR working well with Dynamips??? The
> >> configuration part is:
> >>
> >> class-map match-any IMAGES
> >> match protocol http url "*.gif"
> >> match protocol http url "*.jpeg|*.jpg"
> >> !
> >> !
> >> policy-map DROP_IMAGES
> >> class IMAGES
> >> drop
> >> !
> >>
> >> int s0/1
> >> service-policy input DROP_IMAGES
> >> int s0/0.201
> >> service-policy input DROP_IMAGES
> >> !
> >>
> >> But in accordance to tests, the files con extensions .gif, .jpg or jpeg
> >> never are blocked. I don't see nothing wrong, so what is the error??
> >>
> >> R4#sh policy-map interface s0/1
> >> drop
> >> Serial0/1
> >>
> >> Service-policy input: DROP_IMAGES
> >>
> >> Class-map: IMAGES (match-any)
> >> 0 packets, 0 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: protocol http url "*.gif"
> >> 0 packets, 0 bytes
> >> 5 minute rate 0 bps
> >> Match: protocol http url "*.jpeg|*.jpg"
> >> 0 packets, 0 bytes
> >> 5 minute rate 0 bps
> >>
> >> Class-map: class-default (match-any)
> >> 15 packets, 1260 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: any
> >> R4#sh policy-map interface s0/0.201
> >>
> >> drop
> >> Serial0/0.201
> >>
> >> Service-policy input: DROP_IMAGES
> >>
> >> Class-map: IMAGES (match-any)
> >> 0 packets, 0 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: protocol http url "*.gif"
> >> 0 packets, 0 bytes
> >> 5 minute rate 0 bps
> >> Match: protocol http url "*.jpeg|*.jpg"
> >> 0 packets, 0 bytes
> >> 5 minute rate 0 bps
> >>
> >> Class-map: class-default (match-any)
> >> 25 packets, 3674 bytes
> >> 5 minute offered rate 0 bps, drop rate 0 bps
> >> Match: any
> >> R4#
> >>
> >> Rgds.
> >>
> >>
> >> --
> >> Omar E.P.T
> >> -----------------
> >> Certified Networking Professionals make better Connections!
> >>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >
>
>
> --
> Omar E.P.T
> -----------------
> Certified Networking Professionals make better Connections!
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
> 

-- 
Omar E.P.T
-----------------
Certified Networking Professionals make better Connections!

This archive was generated by hypermail 2.1.4 : Mon Aug 04 2008 - 06:11:54 ART