From: Howard Hooper (Howard.Hooper@dupre.co.uk)
Date: Sun Jan 11 2009 - 18:23:21 ARST
I thought the below information may help to see what happens when this feature
is configured.
I've labbed this up with the following PC1 > vlan1 Router vlan2 > WebServer
I want to match the .gif, .jpeg and .jpg extensions in any URL's I pull down
from the web server, I've setup a policy-map on the router to drop all packets
that include these file extensions with the config;
class-map match-all IMAGE
match protocol http url "*.gif|*.jpeg|*.jpg"
!
!
policy-map HTTP
class IMAGE
drop
interface vlan 1
service-policy output HTTP
When I request the URL "http://host1.qos.net/qos/test.gif" from the webserver
using PC1 I see the packets are being matched, dropped and I don't see an
image appear in my browser.
R4#sh policy-map int vlan 1 out
Vlan1
Service-policy output: HTTP
Class-map: IMAGE (match-all)
3 packets, 134 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif|*.jpeg|*.jpg"
drop
Now when I request the URL "http://host1.qos.net/qos/test.gif?test=1
<http://host1.qos.net/qos/test.gif?test=1> ", my class map doesn't match
anything and I see an image being displayed
R4#sh policy-map int vlan 1 out
Vlan1
Service-policy output: HTTP
Class-map: IMAGE (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif|*.jpeg|*.jpg"
drop
Class-map: class-default (match-any)
33 packets, 2849 bytes
30 second offered rate 1000 bps, drop rate 0 bps
Match: any
To fix this problem I now must change my class-map to allow for any requests
that include the file extensions as well as any requests for 'dynamic content'
(a url with the ?) after it, I do this with the following;
class-map match-all IMAGE
match protocol http url "*.gif*|*.jpeg*|*.jpg*"
Now when I request the URL "http://host1.qos.net/qos/test.gif?test=1
<http://host1.qos.net/qos/test.gif?test=1> ", I can see the packets being
matched in my class-map, being dropped and I therefore don't receive an image
in my browser this time
R4#sh policy-map int vlan 1
Vlan1
Service-policy output: HTTP
Class-map: IMAGE (match-all)
7 packets, 942 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif*|*.jpeg*|*.jpg*"
drop
Class-map: class-default (match-any)
20 packets, 1289 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
R4#
Although now another problem occurs when I request a URL from a different
server e.g. host2.qos.net and the requested page includes an image with the
.gif/.jpeg/.jpg extension but I dont want the router to drop this traffic. We
can see here that if I put in a request for
'http://host2.qos.net/qos/test.gif?test=1#'
<http://host2.qos.net/qos/test.gif?test=1#'> the class-map is still matching
the URL and therefore the policy dropping the packets.
R4#sh policy-map int vlan 1
Vlan1
Service-policy output: HTTP
Class-map: IMAGE (match-all)
2 packets, 249 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif*|*.jpeg*|*.jpg*"
Match: protocol http host "host1.qos.net"
drop
Class-map: class-default (match-any)
10 packets, 650 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
R4#
So I can fix this problem by specifying the only host I want to match images
from is host1 with the following;
!
class-map match-all IMAGE
match protocol http url "*.gif*|*.jpeg*|*.jpg*"
match protocol http host "host1.qos.net"
!
Now I can see an image in my browser if I go to
http://host2.qos.net/qos/test.gif?test=1
<http://host2.qos.net/qos/test.gif?test=1> as the class-map isn't matching
this host anymore (output below), however images with the above mentioned file
extensions will still be blocked if coming from host1 instead
R4#sh policy-map int vlan 1
Vlan1
Service-policy output: HTTP
Class-map: IMAGE (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.gif*|*.jpeg*|*.jpg*"
Match: protocol http host "host1.qos.net"
drop
Class-map: class-default (match-any)
9 packets, 844 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
R4#
I hope this helps
Howard
________________________________
From: nobody@groupstudy.com on behalf of Ivan Walker
Sent: Sun 11/01/2009 06:26
To: Hobbs
Cc: Radioactive Frog; Narbik Kocharians; Basel; John Edom; GS
Subject: Re: NBAR url match
Taking a look at the link to the Cisco documentation (link below) it states:
The parameter specification strings can take the form of a regular
expression with the following options:
Option Description
* Match any zero or more characters in this position.
? Match any one character in this position.
| Match one of a choice of characters.
(|) Match one of a choice of characters in a range. For example
cisco.(gif | jpg) matches either cisco.gif or cisco.jpg.
[ ] Match any character in the range specified, or one of the special
characters. For example, [0-9] is all of the digits. [*] is the "*"
character and [[] is the "[" character.
So I would guess it is a subset but you could always lab it up to make sure.
I also forgot to mention previously that apart from appending the ?xxxx
to a url for caching purposes a user could exploit this to bypass url
matching configured on a router.
Ivan
Hobbs wrote:
> What's the purpose of $ if you don't put the * at the end of your
> expression. Doesn't $ signify end of line? Or are these not pure regexp?
>
> On Sat, Jan 10, 2009 at 9:48 PM, Ivan Walker <ivan@itpro.co.nz
> <mailto:ivan@itpro.co.nz>> wrote:
>
> Hi,
>
> Someone kindly pointed out earlier that often the images have ?
> followed some random numbers or string. Quite often this is done
> so that the images aren't taken from a cache. Eg
> http://yourdomain.com/fish.gif?988798
>
> Using the * after jpg etc will match these urls too.
>
> Thanks
>
> Ivan
>
> Radioactive Frog wrote:
>
> Why suffixed *' with the last .jpg* and *.gif and not with *.jpeg
>
> match protocol http url "*.gif*|*.jpeg|*.jpg*"
>
> On Sun, Jan 11, 2009 at 9:29 AM, Narbik Kocharians
> <narbikk@gmail.com <mailto:narbikk@gmail.com>
> <mailto:narbikk@gmail.com
<mailto:narbikk@gmail.com%20%3Cmailto:narbikk@gmail.com> >>> wrote:
>
> Ivan,
>
> You are correct.
>
> On Sat, Jan 10, 2009 at 11:56 AM, Ivan Walker
> <ivan@itpro.co.nz <mailto:ivan@itpro.co.nz>
> <mailto:ivan@itpro.co.nz
<mailto:ivan@itpro.co.nz%20%3Cmailto:ivan@itpro.co.nz> >>> wrote:
>
> > Hi,
> >
> > According to the documentation (
> >
>
>
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m1.html#wp10245
34)
> >
> >
> > url: (Optional) Specifies matching by a URL.
> > url-string: (Optional) User-specified URL of HTTP traffic
> to be
> matched.
> > host: (Optional) Specifies matching by a hostname.
> > hostname-string: (Optional) User-specified hostname to be
> matched.
> >
> > "When specifying a URL for classification, include only the
> portion of the
> > URL that follows the www./hostname/./domain/ in the *match*
> statement. For
> > example, for the URL www.cisco.com/latest/whatsnew.html
> <http://www.cisco.com/latest/whatsnew.html>
> <http://www.cisco.com/latest/whatsnew.html>, include only
>
> > /latest/whatsnew.html with the *match* statement (for
> instance,
> *match
> > protocol http url /latest/whatsnew.html*). "
> > Thus shouldn't the example be like this?
> >
> > class-map match-all TEST
> > match protocol http url "*.gif*|*.jpeg|*.jpg*"
> > match protocol http host "www.youtube.com
> <http://www.youtube.com <http://www.youtube.com/> >
<http://www.youtube.com <http://www.youtube.com/> >"
>
> >
> > Regards
> >
> > Ivan
> >
> >
> > Basel wrote:
> >
> >> Hi,
> >> You would need to use the | operator if you are matching
> those
> extensions
> >> from specific websites like YouTube, hence you need 2
> matching
> statements
> >> one for the url of the website and one for all
> extensions need
> to be
> >> matched
> >> while your class-map should match-all.
> >>
> >> class-map match-all TEST
> >> match protocol http url "*.gif*|*.jpeg|*.jpg*"
> >> match protocol http url "www.youtube.com
> <http://www.youtube.com <http://www.youtube.com/> >
<http://www.youtube.com <http://www.youtube.com/> >"
>
> >>
> >>
> >>
> >> Regards,
> >> Basel
> >>
> >> -----Original Message-----
> >> From: nobody@groupstudy.com
> <mailto:nobody@groupstudy.com> <mailto:nobody@groupstudy.com
> <mailto:nobody@groupstudy.com>>
> [mailto:nobody@groupstudy.com
> <mailto:nobody@groupstudy.com> <mailto:nobody@groupstudy.com
> <mailto:nobody@groupstudy.com>>] On
> Behalf Of
> >> John
> >> Edom
> >> Sent: Saturday, January 10, 2009 4:36 PM
> >> To: GS
> >> Subject: NBAR url match
> >>
> >> hi,
> >>
> >> Tell me is it correct to match http .gif, .jpeg, jpg images
> >>
> >> class-map match-any HTTP
> >> match proto http url "*.gif*"
> >> match proto http url "*.jpeg*"
> >> match proto http url "*.jpg*"
> >>
> >>
> >> sorry for large font but what you should you clear :)
> >>
> >> I have found some solution without * at end that seems
> correct
> as well and
> >> a
> >> solution where only one statement configure and all
> images type
> separate
> >> with | sign.
> >>
> >> Regards
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
<http://www.ccie.net/>
> >>
> >>
>
>
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:37 ARST
