10.81 Advanced HTTP Classification with NBAR

Hi experts,

according to my testing, this SG statement is not true:

"Matching is case-sensitive and you can use patterns like [aA] to match both cases."


This also contradicts what is said in 11.12 Using NBAR for Content-Based Filtering,
where it is stated:

"All matching is case insensitive. The pattern "text" matches "TEXT" as well."


Any clarification would be highly appreciated!


tom

Comments

  • Hello, in the blog post, it says that is not case sensitive.

     

    I am also writing because on my dynamips Lab i have no match, can someone confirm me this problem?

    thnx

  • Hello,

     

    at the very beginning I had the same problem but you have to check several things :

     

    1. match protocol http url ".bin|.text|.taxt" : this doesn't work. it seems you have to put the "*" to get a match (it's correct on the SG, but I thought it was a real pattern)

    2. in the check provided by the SG, you're on the wrong way : it shoud be SW1 -> R4 and not the opposite, as your policy-map is applied in output

    3. Bad luck but take care to the routes too .. because SW1 could go through R3 ( I just shut interface f0/0 on R3 for the test)

     

    Regards

  • Hello,

     

    That's true. This classification is not case sensitive.

    ex : protocol http url "*.bin|*.text|*.taxt"
    it matches toto.text AND toto.TEXT

    Regards

  • I also have no match for this.

    Strangely I cant even get a basic "*.bin" match to work (with service-policy input)

    Anyone else?

  • JoeMJoeM ✭✭✭

    I haven't looked at the task (done long time ago).  But just a note about what I remember when dealing with the HTTP URL. 

    These are suppose to be bi-directional, but my experience was that the match is made on the GET request.  Try matching in that direction, and let us know if this works.

  • Hi Joe

    Yep this is an odd one - I expected this to be straight forward :/

    I'm basically testing this using SW1, R6 & R4.  R6 is where the NBAR config is applied (inbound on f0/0.146), R4 is where I issue the copy http command, and SW1 is where R4 connects to.

    I've stripped the config back to bare - it should just drop now:

    Config on R6:
    class-map match-all URLMATCH
     match protocol http url "*.bin"
    !
    !
    policy-map URLPOLICY
     class URLMATCH
      drop
    !
    int f0/0.146
    service-policy input URLPOLICY (I've tried both input/output)

    command on R4:
    copy http://admin:cisco@155.1.67.7/c3560-ipservicesk9-mz.150-2.SE/c3560-ipservicesk9-mz.150-2.SE.bin null:

    config on sw1:
    ip http server
    ip http path flash:

    I know that traffic from R4 to SW1 is going via R6:
    R4#traceroute 155.1.67.7
      1 155.1.146.6 4 msec 4 msec 4 msec
      2 155.1.67.7 4 msec *  0 msec

    Sh policy-map int f0/0.146 (on R6):
    R6#sh policy-map int f0/0.146
     FastEthernet0/0.146

      Service-policy output: URLPOLICY

        Class-map: URLMATCH (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "*.bin"
          drop

        Class-map: class-default (match-any)
          29038 packets, 10672718 bytes
          5 minute offered rate 148000 bps, drop rate 0 bps
          Match: any

    To tell you the truth, Its stumped me!

  • Hi All,

    I tried using  like following:  match protocol http url /*.txt*

    R2#s policy-map int
     FastEthernet0/0

      Service-policy input: pm4

        Class-map: cm4 (match-all)
          5 packets, 1051 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "/*.txt*"
          drop
    Seems to work in both directions  Needed "*" at end of "txt"

    Worked best using small mtu for file transfer.

  • Hi Randy - thanks for chiming in.

    I just amended my match to be like yours (albeit for .bin):

        Class-map: URLMATCH (match-all)
          0 packets, 0 bytes
          5 minute offered rate 0 bps, drop rate 0 bps
          Match: protocol http url "/*.bin*"
          drop

    As you can see - still nothing :(

    I'm running 15.1(3)T4.

    I want to move on, but this is really bugging me...!

    edit: also just tried "/*.text*" - same result :(     WTF?!!

  • I was using 12.4(15)T .  So, not surprising if matching rules have changed (or bug in my IOS ; or order of configuration or something else.).

    Best regards to all.

  • I'm going to move on - I dont think I've misconfigured it, but I dont want to hang around any more on a minor feature.  I'll test again on the CSR platform later.

    Joe/Randy - Thanks for looking in.

    cheers
    will

  •  

    One observation that may be relevant is NBAR version.

    Noticed following about nbar on INE's CSR1000V:

    R1#show version
    Cisco IOS XE Software, Version 03.11.01.S - Standard Support Release
    Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S1, RELEASE SOFTWARE (fc2)

    After "show ip nbar version":

    NBAR software version:  17
    NBAR minimum backward compatible version:  13   <<<<<<<<<<<<<<

    And INE routers:

    IOS 12.4(24)T  using nbar version 6

     

     

Sign In or Register to comment.