NBAR confusion – usage of “match protocol http url”
September 5, 2008 at 5:04 pm | Posted in Blogroll, QoS, Security | 2 CommentsDoing IE WB1, Section Security – Task Using NBAR to Filter Traffic. I am confused by the solution guide . The tasks is to drop HTTP IMAGE requests from Client to Server.
HTTP Client ------- R4 ------- Server HTTP S0/1
Solution creates a policy that match images using match http url, but the policy is applied INBOUND on the WAN interfaces (S0/1) ! I believe that this policy should be applied OUTBOUND to stop HTTP Requests.
However, that is not my main concern. I used to believe that “match protocol http url” can only be used to match HTTP REQUESTS, and not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE data themselves, I thought that match MIME type should be used. But it seems I may be WRONG!
“match protocol http url” seems to be able to match HTTP RESPONSE from Servers as well.
I tried snipping (using Wireshark) a real HTTP session. I could see the reference to URL in the GET request, but I do not see any reference to that URL in the data response from the server!
Below is config and verification to show that both HTTP requests for Images and Image return data can be matched by using “match protocol http url”.
Configuration:
R4# class-map match-any IMAGES match protocol http url "*.gif" match protocol http url "*.jpeg|*.jpg" ! ! ! HTTP_REQUEST policy is my additional config for matching illustration policy-map HTTP_REQUEST class IMAGES policy-map DROP_IMAGES class IMAGES drop interface Serial0/1 service-policy input DROP_IMAGES service-policy output HTTP_REQUEST
Verification:
Try to generate HTTP get request from inside (R1) to outside 150.1.5.5 (HTTP Server)
R1#copy http://150.1.5.5/test.jpg null: %Error opening http://150.1.5.5/test.jpg (I/O error) R4#sh policy-map interface s0/1 Serial0/1 Service-policy input: DROP_IMAGES Class-map: IMAGES (match-any) 8 packets, 1657 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http url "*.gif" 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol http url "*.jpeg|*.jpg" 8 packets, 1657 bytes 5 minute rate 0 bps drop Class-map: class-default (match-any) 18 packets, 1530 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Service-policy output: HTTP_REQUEST Class-map: IMAGES (match-any) 5 packets, 708 bytes 5 minute offered rate 0 bps Match: protocol http url "*.gif" 0 packets, 0 bytes 5 minute rate 0 bps Match: protocol http url "*.jpeg|*.jpg" 5 packets, 708 bytes 5 minute rate 0 bps Class-map: class-default (match-any) 27 packets, 1936 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any
Wireshark view of HTTP GET request
Wireshark view of return IMAGE DATA
2 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a reply to enotepad Cancel reply
Create a free website or blog at WordPress.com.
Entries and comments feeds.
Cisco Notepad 
Instead of using match protocol http url… you can use match protocol http mime… which is actually the preferred method when trying to match images
eg:
match protocol http mime image/jpeg
### This would match jpeg,jpg,jpe,jfif,pjpeg, and pjp types ###
Comment by janviljoen— October 27, 2008 #
Hi Janviljoen,
I’m aware of that method to filter traffic. I highlighted in my original post as well.
“However, that is not my main concern. I used to believe that “match protocol http url” can only be used to match HTTP REQUESTS, and not to match HTTP RESPONSES (IMAGE data) from server. To match IMAGE data themselves, I thought that match MIME type should be used. But it seems I may be WRONG!”
The task here is to stop clients from requesting for any pictures.
Comment by enotepad— October 27, 2008 #