Yep this is an odd one - I expected this to be straight forward :/
I'm basically testing this using SW1, R6 & R4. R6 is where the NBAR config is applied (inbound on f0/0.146), R4 is where I issue the copy http command, and SW1 is where R4 connects to.
I've stripped the config back to bare - it should just drop now:
Config on R6:
class-map match-all URLMATCH
match protocol http url "*.bin"
service-policy input URLPOLICY (I've tried both input/output)
command on R4:
copy http://admin:firstname.lastname@example.org/c3560-ipservicesk9-mz.150-2.SE/c3560-ipservicesk9-mz.150-2.SE.bin null:
config on sw1:
ip http server
ip http path flash:
I know that traffic from R4 to SW1 is going via R6:
1 188.8.131.52 4 msec 4 msec 4 msec
2 184.108.40.206 4 msec * 0 msec
Sh policy-map int f0/0.146 (on R6):
R6#sh policy-map int f0/0.146
Service-policy output: URLPOLICY
Class-map: URLMATCH (match-all)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*.bin"
Class-map: class-default (match-any)
29038 packets, 10672718 bytes
5 minute offered rate 148000 bps, drop rate 0 bps
To tell you the truth, Its stumped me!