From: Jason Madsen (madsen.jason@gmail.com)
Date: Sat Jan 24 2009 - 15:02:43 ARST
yep, the server can respond with some blahblah.jpeg. you'd probably have to
sniff some traffic and analyze it. without sniffing traffic, you could do
as i mentioned earlier.
On Sat, Jan 24, 2009 at 10:00 AM, Han Solo <emaillists@me.com> wrote:
> Well that blows that theory out of the water . Petr has this post on IE
> blog " Using NBAR for HTTP URL filtering - CCIE Blog.htm" down by section
> Q3/A3 where he shows an example of url filtering and applied incoming to
> the outside / internet interface
>
>
>
> On Jan 24, 2009, at 8:44 AM, Roger RPF wrote:
>
> Hey Jason,
>>
>> Thanks for that, it explains the issue / difference between having the
>> .jpg...in an url or having it "somewhere" on that page. Maybe my initial
>> example was not specific enough :o(
>>
>> So to go back to my initial question. To block the url's
>>
>> www.dontcheat.com/ccie/mynumber.jpg
>> www.dontcheat.com/ccie/mynumber.gif
>>
>> But to still allow access to
>>
>> www.dontcheat.com/ccie/mynumber
>>
>> I would have to do the following to block it:
>>
>> class-map match-all BLOCK
>> match protocol http host www.dontcheat.com
>> match protocol http url "/ccie"
>> match protocol http url "*.jpg|*.gif"
>>
>> The question is why in the DocCD it is written not to use matching on
>> host?
>>
>> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
>> ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880
>>
>> As I said before, to me, in that case we would also block
>> /ccie/mynumber.jpg
>> or .gif from another host, isn't it?
>>
>>
>> regards
>>
>> Roger
>>
>> Von: Jason Madsen [mailto:madsen.jason@gmail.com]
>> Gesendet: Samstag, 24. Januar 2009 17:29
>> An: Han Solo
>> Cc: Roger RPF; Wouter Prins; Cisco certification
>> Betreff: Re: AW: nbar / http classification question
>>
>> there are definitely jpeg images on that page, as can be verified by
>> looking
>> at the html source code, but you aren't going to actually type a URL with
>> a
>> .jpeg extension to view them. they are downloaded automatically when you
>> navigate to that page. that's the reason I recommended using mime for
>> your
>> jpeg matching.
>>
>> Jason
>> On Sat, Jan 24, 2009 at 9:25 AM, Han Solo <emaillists@me.com> wrote:
>> Yea there there use firefox with downloadem all and filter on jpeg's you
>> will see them
>>
>>
>>
>> On Jan 24, 2009, at 8:24 AM, Jason Madsen wrote:
>> actually, are there any images at http://www.cisco.com/go/ccie with a URL
>> ending in .jpeg or another jpeg extension? I don't see any. If that's
>> the
>> case, than you'd probably want to go with matching mime since it will
>> actually be the jpeg image type that you want to block and not a URL with
>> "jpeg" at the end of it...hope that makes sense.
>>
>> On Sat, Jan 24, 2009 at 9:21 AM, Jason Madsen <madsen.jason@gmail.com>
>> wrote:
>> image querying should be blocked by the JPEG URL statements you made,
>> whereas, image downloading should be blocked by a mime statement.
>>
>> On Sat, Jan 24, 2009 at 9:19 AM, Jason Madsen <madsen.jason@gmail.com>
>> wrote:
>> I guess URL matching for the JPEG part should be fine too though...either
>> way.
>>
>>
>> On Sat, Jan 24, 2009 at 9:15 AM, Jason Madsen <madsen.jason@gmail.com>
>> wrote:
>> I recommend you guys try just using URL for your URL match, rather than
>> host
>> and either put the entire URL string in your match statement or else use
>> asterisks. For your image matching, I recommend you guys try matching
>> JPEG
>> via. http mime, rather than URL.
>>
>> Jason
>>
>>
>> On Sat, Jan 24, 2009 at 9:08 AM, Han Solo <emaillists@me.com> wrote:
>> For some reason I get hit and miss results when matching on various "match
>> protocol http host" types but this one works
>>
>> INTERNET(config-cmap)#do show policy-map int g0/0
>>
>> GigabitEthernet0/0
>>
>> Service-policy input: url
>>
>> Class-map: url (match-all)
>> 102 packets, 67994 bytes
>> 30 second offered rate 9000 bps, drop rate 9000 bps
>> Match: protocol http
>> drop
>>
>>
>>
>>
>>
>>
>>
>>
>> On Jan 24, 2009, at 7:52 AM, Han Solo wrote:
>>
>> lass Map match-all url (id 6)
>> Match protocol http url "*.gif|*.jpg|*.jpeg"
>> Match protocol http url "*/ccie*"
>> Match protocol http host "http://www.cisco.com/"
>>
>> INTERNET#
>> INTERNET#sh policy-map int g0/0
>> GigabitEthernet0/0
>>
>> Service-policy input: url
>>
>> Class-map: url (match-all)
>> 0 packets, 0 bytes
>> 30 second offered rate 0 bps, drop rate 0 bps
>> Match: protocol http url "*.gif|*.jpg|*.jpeg"
>> Match: protocol http url "*/ccie*"
>> Match: protocol http host "http://www.cisco.com/"
>> drop
>>
>>
>>
>>
>>
>>
>> On Jan 24, 2009, at 7:49 AM, Han Solo wrote:
>>
>> I think it has to do with the "match-all" in the class map I am trying
>> different things , bottom line with both of the examples posted so far
>> there
>> is no match. I have a 2851 as internet router at home to try and test them
>> so I block my wife's stuff when I come home from work it really is good
>> exercise to get these things down .. Curious why these one's aren't
>> working
>> ? If you want to jump on and test with me let me know i will start up a
>> webex
>>
>>
>> On Jan 24, 2009, at 7:35 AM, Roger RPF wrote:
>>
>> Well, I did not try but I guess you would have to use:
>>
>> match protocol http url "*/ccie"
>>
>> or
>>
>> match protocol http url "go/ccie"
>>
>> if that is the exact url
>>
>> regards
>>
>> Roger
>>
>>
>> -----Urspr|ngliche Nachricht-----
>> Von: Han Solo [mailto:emaillists@me.com]
>> Gesendet: Samstag, 24. Januar 2009 16:30
>> An: Wouter Prins
>> Cc: Roger RPF; Cisco certification
>> Betreff: Re: nbar / http classification question
>>
>> That doesn't work I tried it
>>
>> INTERNET#sh policy-map interface g0/0
>> GigabitEthernet0/0
>>
>> Service-policy input: url
>>
>> Class-map: url (match-all)
>> 0 packets, 0 bytes -------> NO MATCHES WHEN GOING TO
>> WWW.CISCO.COM/GO/CCIE
>> 30 second offered rate 0 bps, drop rate 0 bps
>> Match: protocol http host "www.cisco.com"
>> Match: protocol http url "/ccie"
>> Match: protocol http url "*.gif|*.jpg|*.jpeg"
>> drop
>>
>>
>> class-map match-all url
>> match protocol http host "www.cisco.com"
>> match protocol http url "/ccie"
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>>
>> policy-map url
>> class url
>> drop
>>
>>
>>
>>
>> On Jan 24, 2009, at 6:44 AM, Wouter Prins wrote:
>>
>> I think:
>>
>> class-map match-all URL
>> match protocol http host www.cisco.com
>> match protocol http url "/ccie"
>> match protocol http url "*.gif|*.jpg|*.jpeg"
>>
>> Would also work
>> Wouter
>>
>> 2009/1/24 Roger RPF <rpf@bluemail.ch>
>>
>> Hi group,
>>
>> Question regarding nbar and the class-maps. If the task tells to
>> block all
>> .jpeg and .gif from www.cisco.com/ccie how do you create the class
>> map? Do
>> we need to include the hostname part? If I look at the following
>> link on
>> the
>> doccd, they say no:
>>
>>
>>
>>
>> http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
>>
>> ar_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1051880<
>> http://www
>> .cisco.com/en/US/docs/ios/qos/configuration/guide/clsfy_traffic_nb
>> %0Aar_ps63
>> 50_TSD_Products_Configuration_Guide_Chapter.html#wp1051880
>>
>>
>> But to me, this would mean that we would also block .jpeg and .gif
>> for the
>> site www.dontcheat.com/ccie or not?
>>
>> My solution:
>>
>> class-map match-all URL
>> match protocol http host www.cisco.com
>> match protocol http url "/ccie"
>> match class-map URLCHILD
>>
>> class-map match-any URLCHILD
>> match protocol http url "*.gif*"
>> match protocol http url "*.jpg*"
>> match protocol http url "*.jpeg*"
>>
>> What do you think?
>>
>> thanks
>>
>> Roger
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> Han Solo
>> May the force be with you
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> Han Solo
>> May the force be with you
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found
>> at:http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> Han Solo
>> May the force be with you
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found
>> at:http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>> Han Solo
>> May the force be with you
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found
>> at:http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Han Solo
>> May the force be with you
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
> Han Solo
> May the force be with you
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:43:40 ARST