GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: Code Red - and its workarounds with NBAR posted 08/14/2001
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


When I was looking at this I found on the Feature sets we are running,  HTTP
protocol is not supported in versions below 12.1(5)T

See below on a 7200 running 12.1(4)E1

VEWAN-R1(config)#class-map match-any http
TEST-R1(config-cmap)#match protocol ?
  aarp              AppleTalk ARP
  apollo            Apollo Domain
  appletalk         AppleTalk
  arp               IP ARP
  bridge            Bridging
  bstun             Block Serial Tunnel
  cdp               Cisco Discovery Protocol
  clns              ISO CLNS
  clns_es           ISO CLNS End System
  clns_is           ISO CLNS Intermediate System
  cmns              ISO CMNS
  compressedtcp     Compressed TCP
  decnet            DECnet
  decnet_node       DECnet Node
  decnet_router-l1  DECnet Router L1
  decnet_router-l2  DECnet Router L2
  dlsw              Data Link Switching
  ip                IP
  ipx               Novell IPX
  llc2              llc2
  pad               PAD links
  qllc              qllc protocol
  rsrb              Remote Source-Route Bridging
  snapshot          Snapshot routing support
  stun              Serial Tunnel
  vines             Banyan VINES
  vofr              voice over Frame Relay packets
  xns               Xerox Network Services


Regards

Gordon




henryd31@xxxxxxxx on 08/14/2001 05:41:40 AM

Please respond to henryd31@xxxxxxxx

To:   ccielab@xxxxxxxxxxxxxx
cc:   (bcc: Gordon W Skinner)
Subject:  Code Red - and its workarounds with NBAR




Guys,

Sorry if this is off topic here. I think this is within our studying
depth but if not
Then I apologize ahead of time before someone decides for unneeded
critisizm.

Anyway, I need to change a bit the example from Cisco
s web site to
prevent
The Red Code spreading thru the routers by using NBAR.

http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

And here is what I
m trying to do.

class-map match-any http-hacks
  match protocol http url "*default.ida*"
  match protocol http url "*x.ida*"
  match protocol http url "*.ida*"
  match protocol http url "*cmd.exe*"
  match protocol http url "*root.exe*"
class-map match-any normal-traffic
  match any
!
!
policy-map drop-inbound-http-hacks
  class http-hacks
     police 10000 1000 1000 conform-action drop exceed-action drop
violate-action drop
  class normal-traffic
     police 10000000 10000 10000 conform-action transmit exceed-action
transmit

Simply speaking, I
m trying to bypass the marking of the packets (with
either DSCP or Precedence), as they are already identified By the class
map 
http-hacks
 and enforce the policing right in the first policy-map.
One of the reasons I
m trying to do this, I don
t want to upgrade to
their recommended IOS version >=12.1.5T
I
m running 12.0.18S Service Provider version currently. All this looks
good but I
m not sure if I implement
This whether it will work properly. Can
t test it, not much time left
before I have to implement something there.

Any ideas as to whether this should work, or someone implemented it
would be greatly appreciated.

Thanks and sorry for OT.
**Please read:http://www.groupstudy.com/list/posting.html
This communication is for informational purposes only.  It is not intended as
an offer or solicitation for the purchase or sale of any financial instrument
or as an official confirmation of any transaction. All market prices, data
and other information are not warranted as to completeness or accuracy and
are subject to change without notice. Any comments or statements made herein
do not necessarily reflect those of J.P. Morgan Chase & Co., its
subsidiaries and affiliates.
**Please read:http://www.groupstudy.com/list/posting.html
_______________________________________________________
To unsubscribe from the CCIELAB list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe ccielab