Security Internetworking Experts


Post New Topic  Post A Reply
my profile | register | search | faq | forum home
  next oldest topic   next newest topic
» Security Internetworking Experts   » Security   » CCIE Security Lab Forum   » NBAR/NIMDA

UBBFriend: Email this page to someone!    
Author Topic: NBAR/NIMDA
ccietobe9
Member

Member # 31901

Rate Member 		posted February 09, 2012 09:09 PM      Profile for ccietobe9     Send New Private Message      Edit/Delete Post  Reply With Quote 
I was practicing NBAR scenarios and wanted to find more examples over the internet and found several question posted by other members on the securityIE forum.
e.g. http://www.securityie.com/cgi-bin/ultimatebb.cgi?ubb=get_topic;f=10;t=003150

I came up with another solution to those questions. Tell me what do you guys think. I have used nested class-maps and marked packets entering one interface with dscp value 1 and then dropped on the egress interface.. Do you guys think its a good solution?

class-map match-any MARK_HTTP
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"

class-map match-all MARK_PACKET
match class-map MARK_HTTP
match protocol http host "1.1.1.1"

policy-map MARK_DSCP
class MARK_PACKET
set dscp 1

interface FastEthernet0/1
ip address
service-policy input MARK_DSCP
class-map match-all DROP_DSCP
match ip dscp 1

policy-map DROP_DSCP
class DROP_DSCP
drop

interface FastEthernet0/2
ip address
service-policy output DROP_DSCP
Posts: 37 | From: US | Registered: Jan 2012  |  IP: Logged
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac

Member # 29872

Member Rated:
 		posted February 10, 2012 10:00 PM      Profile for Kingsley Charles (CCSP, CCNP, CCIP)     Send New Private Message      Edit/Delete Post  Reply With Quote 
So you are matching the pattern only with host value of "1.1.1.1".

Logically it is correct but I hope there is no bug in IOS and works.

With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010  |  IP: Logged
ccietobe9
Member

Member # 31901

Rate Member 		posted February 11, 2012 08:12 AM      Profile for ccietobe9     Send New Private Message      Edit/Delete Post  Reply With Quote 
quote:
Originally posted by Kingsley Charles (CCSP, CCNP, CCIP):
So you are matching the pattern only with host value of "1.1.1.1".

Logically it is correct but I hope there is no bug in IOS and works.

With regards
Kings
I am matching 'every' HTTP URL line with the IP address 1.1.1.1. There is a Match-any in the HTTP Class-map and then there is match-ALL in Second class-map... To my understanding every line of HTTP URL should match with pattern on 1.1.1.1

class-map match-any MARK_HTTP
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"

class-map match-all MARK_PACKET
match class-map MARK_HTTP
match protocol http host "1.1.1.1"
Posts: 37 | From: US | Registered: Jan 2012  |  IP: Logged
shamulong
Member

Member # 21233

Rate Member 		posted March 17, 2012 08:56 AM      Profile for shamulong     Send New Private Message      Edit/Delete Post  Reply With Quote 
oh god you need in attack in interface set ip dscp 1,use nbar。and in attack out interface deny any dscp 1,permit any,apply out
Posts: 45 | From: china | Registered: Jan 2007  |  IP: Logged


All times are Eastern Time  
Post New Topic  Post A Reply Close Topic    Move Topic    Delete Topic next oldest topic   next newest topic
Printer-friendly view of this topic
Hop To:


Contact Us | Security Internetworking Experts