How to block URLs with NBAR??

Hello guys,

I´ve spent a lot of time trying to block URLs using NBAR in a router (not class-maps type inspect http or policy-map type inspect http).

Let me show you what i´ve done:

class-map match-any HTTP
 match protocol http host "abc"
 match protocol http url "abc"
 match protocol http c-header-field "abc"
 match protocol http s-header-field "abc"
 match protocol http url "abc"

policy-map HTTP
 class HTTP
   drop

interface FastEthernet0/0
 ip address 132.3.4.4 255.255.255.0
 duplex auto
 speed auto
 service-policy input HTTP
end

I´ve used all the options available for the match protocol http under the class-map  trying to block a simple abc.com (i have an "ip host abc.com X.X.X.X" mapped in another router and works fine)   I have donde this with ASA (using class-map type inspects matching headers and/or URIs ) and i am quite sure it will work as well in a router using class-map type inspect http , but what about NBAR?  the documentation/labs specifically Security Workbook II. LAB 2 -7.1  and Cisco documentation say it works. I know my regex could be better but i am just trying "abc.com" in my broswer, it should definitely match.

Yes, Cef is enabled :)

Any help will be appreciated! :)

Emilio

Comments

  • Does it make any difference if you use *abc* in your regex?

  • Does it make any difference if you use *abc* in your regex?

     

    From INE blog.

     

     

    Q1: What is the syntax for matching the URLs?

    A1: The syntax resembles regular expressions but it is actually
    not. Rather, it is more similar to using globs or wildcard special
    characters. The pattern you configured is matched against the string
    found after the “GET”, “POST” or “PUT” method in HTTP request packet.
    Note that NBAR is smart enough to remove the leading “/” in the file
    path. However, the HTTP request must end up with “rn” or the NBAR
    StILE (stateful inspection language engine) will not recognize it (an
    easy way to fool the inspection engine)!

    Here is the list of the available wildcards:

    “*” – match any pattern e.g. “aaa”, “abcd1234”. To match the
    substring “xyz” in the beginning of a string use the pattern “xyz*”. To
    match “xyz” anywhere in the string use the pattern “*xyz*”. Use the
    pattern “*xyz” to match the substring in the end. Note that pattern
    “xyz” matches only the exact string “xyz”. You may also use complicated
    patterns “ab*cd*ef” at the expense of some CPU penalty probably.

    “?” – match any single character. For example pattern “???”
    matches “xyz”, “abc”,”efg”,”123”. You can mix “*” and “?” like in
    pattern “tes*.????”

    ”[]” – match range of characters. E.g. “[abc]” will match any single character “a”, “b” or “c”.

    ”|” – alternative. Separate patterns with “|” in order to specify
    “OR” matching logic. For example “xyz|abc” matches either full “xyz” or
    “abc” strings. You may mix “|” with other globs like this
    “*xyz*|*abc*|*pqr*”. Note sure about the overall limit of using the “|”
    symbol but you’d better keep it to minimum, in order to make matching
    faster.

    “()” – grouping. Denotes the boundaries of a sub-pattern. For example instead of “*.txt|*.bin” you can write “*.(txt|bin)”.

    All matching is case insensitive. So the pattern “text” matches
    “TEXT” as well. The engine matches your URL pattern against the
    directory path and the file name in the URL. E.g. If the URL is
    http://www.cisco.com/pub/uploads/image.jpeg” the URL matching will only
    use the “pub/uploads/image.jpeg” part of the URL. As a matter of fact,
    when you submit request like the above URL, it translates into the
    following headers (there are actually more, but this is the bare
    minimum):

    GET /pub/uploads/image.jpeg HTTP/1.1
    Host: www.cisco.com
  • Hi,

    Is this dynamips?

    You may be testing it wrong. Have you tried to enable ip http server and point the abc.com entry to the router with http enabled? After that, you can use one other router on your topology and telnet to this router using the hostname on port 80, something like this:

    R1(config)#ip dns server

    R1(config)#ip http server

    R1(config)#ip host abc.com 150.1.1.1

     

    R2(config)#ip name-server 150.1.1.1

    R2(config)#ip domain-lookup

    R2(config)#do telnet abc.com 80

    HTH

    Good luck!

  • One more thing:

    Alternatively you can also copy a file from HTTP:

    R1(config)#ip http path flash:abc.com

    Then create a dummy file on R1 named abc.com and on R2 you can copy http: flash:

    Use the hostname of abc.com and the filename of abc.com just for testing purposes.

  • Hi Emilio,

    If I have to match some URL, I always configure like this: match protocol http host "*abc.com*"

    You can test by enabling HTTP service on one router and try to copy files from that router using HTTP protocol (obviously you should have DNS configured or ip host command).

    Good Luck

  • Thanks so much for the info guys!

    Actually yes, using the "*abc*" or *abc.com*" made it work. An error i was making was thinking that the regex on ASA acted the same way in routers, now i understand the difference with your recomendations and the info about regex on routers for matching URLs.

    again, thanks so much! 

    Emilio

Sign In or Register to comment.