GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Matching image requests using "match protocol http url "*.jpeg" posted 09/05/2008
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Hi GS,

I am confused by a solution in one of QoS task in IEWB (IE WB1, Section
Security - Task Using NBAR to Filter Traffic). The tasks is to drop HTTP
IMAGE requests from Client to Server.

HTTP Client ------- R4 ------- Server HTTP
                       S0/1 

Solution create a policy that match images using match http url, but the
policy is applied INBOUND on the WAN interfaces (S0/1) ! I believe that
this policy should be applied OUTBOUND to stop HTTP Requests. 

However, that is not my main concern. I used to believe that using "
match protocol http url" can only be used to match HTTP REQUESTS, and
not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE
data themselves, I thought that  match MIME type should be used. But it
seems I may be WRONG! 

"match protocol http url" seems to be able to match HTTP RESPONSE from
Servers as well.

I tried snippering (using Wireshark) a real HTTP session. I could see
the reference to URL in the GET request, but I do not see any reference
to that URL in the data response from the server!

Could anyone please comment on the usage of the command "match protocol
http url". Thanks,



Below is config and verification to show that both HTTP requests for
Images and Image return data can be matched by using "match protocol
http url".

Configuration:

R4#

class-map match-any IMAGES
 match protocol http url "*.gif"
 match protocol http url "*.jpeg|*.jpg"
!
!
! HTTP_REQUEST policy is my additional config for matching illustration
policy-map HTTP_REQUEST
 class IMAGES

policy-map DROP_IMAGES
 class IMAGES
   drop

interface Serial0/1
 service-policy input DROP_IMAGES
 service-policy output HTTP_REQUEST




Verification:
-------------

Try to generate HTTP get request from inside (R1) to outside 150.1.5.5
(HTTP Server)
 
R1#copy http://150.1.5.5/test.jpg null:
%Error opening http://150.1.5.5/test.jpg (I/O error)

R4#sh policy-map interface s0/1
 Serial0/1 

  Service-policy input: DROP_IMAGES

    Class-map: IMAGES (match-any)
      8 packets, 1657 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.gif"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg"
        8 packets, 1657 bytes
        5 minute rate 0 bps
      drop

    Class-map: class-default (match-any)
      18 packets, 1530 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any 

  Service-policy output: HTTP_REQUEST

    Class-map: IMAGES (match-any)
      5 packets, 708 bytes
      5 minute offered rate 0 bps
      Match: protocol http url "*.gif"
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.jpeg|*.jpg"
        5 packets, 708 bytes
        5 minute rate 0 bps

    Class-map: class-default (match-any)
      27 packets, 1936 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: any