Re: Nbar and mime matching

From: Ruhann (groupstudy@ru.co.za)
Date: Sun Feb 15 2009 - 06:24:16 ARST

• Next message: hanan: "bootcamp brussels"
• Previous message: Timothy Chin: "RE: Open-Ended Lab Questions - All or Nothing?"
• Maybe in reply to: robert nowosadzki: "Nbar and mime matching"
• Next in thread: Jason Morris: "Re: Nbar and mime matching"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi

If you used google images to test matching the "http url", your policy wont
block the images, as the google URL doesn't contain your matching string
"*.jpeg"
and your second class-map the matches are incorrect.

"http host" - matches the domain names ie:
       match protocol http host *youtube.com*|*video.google.com*

"http url"- mathes additional strings in the URL, words after the first /
match protocol http url *.flv|*.mp4|*.m4v|*.m4a|*.3gp|*.mov

"http mime-type" - used to match file types, (your matches are not in REGEX,
as it matches a mime type/suffic) ie
       match protocol http mime image/jpeg
       ! This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types
       !
       match protocol http mime image/jpg
       ! This would not match anything as it is not a proper mime type.
       !
       match protocol http mime image*
       ! This would match all image mime types
       !
       match protocol http mime application/x-shockwave-flash
       ! This would not only match swf flash movies, but all of flash.
       !
       match protocol http mime
video/flv|video/x-flv|video/mp4|video/x-m4v|audio/mp4a-latm
       ! This would block most movie formats

So to block all JPG, JPEG images from, the following should work,
    class-map JPEGS
       match protocol http mime image/jpeg
    policy-map DROP
      class JPEGS
        drop
    int s1/0
       service-policy input DROP

You can get your MIME type from here :
http://www.sfsu.edu/training/mimetype.htm

 HTH
<ruhann>

On Fri, Feb 6, 2009 at 12:20 AM, robert nowosadzki <rnowosadzki@yahoo.com>wrote:

> What is the correct config when it comes to mime matching? I have been
> playing with this and the only results that I get are with the following
> config:
>
> class-map match-any IMAGES
> match protocol http url "*.jpg"
> match protocol http url "*.jpeg"
>
> policy-map IMAGES_PM
> class IMAGES
> drop
>
> int fa0/0
> serice-policy input IMAGES_PM
>
> My setup is basically a laptop connected to a router (fa0/1) and the router
> (fa0/0) is connected to the internet. For testing I go to google images and
> try to browse .jpg or .jpeg images.
>
> I have also tried the config below, but that does not produce any hits on
> the policy-map.
>
> class-map match-any IMAGES
> match protocol http mime "*.jpg"
> match protocol http mime "*.jpeg"
>
> Any help is greatly appreciated.
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
<ruhann>
Blogs and organic groups at http://www.ccie.net

• Next message: hanan: "bootcamp brussels"
• Previous message: Timothy Chin: "RE: Open-Ended Lab Questions - All or Nothing?"
• Maybe in reply to: robert nowosadzki: "Nbar and mime matching"
• Next in thread: Jason Morris: "Re: Nbar and mime matching"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Mar 01 2009 - 09:44:11 ARST