https://community.cisco.com/t5/network-security/dscp/m-p/628904#M1035078 <HTML><HEAD></HEAD><BODY><P>please help me out</P></BODY></HTML> Thu, 30 Nov 2006 02:35:01 GMT azmath.hk 2006-11-30T02:35:01Z https://community.cisco.com/t5/network-security/dscp/m-p/628903#M1035075 <P>All,</P><P></P><P>Problem was started, when one user was not able to access some websites. </P><P></P><P>So we decided to run ?debug ip packet ? on our router (perimeter device) and noticed that packet was getting dropped on our router, because of the following policy-map mark_http_hacks access-list .</P><P></P><P>class-map match-any http_hack</P><P> match protocol http url "*.ida*"</P><P> match protocol http url "*cmd.exe*"</P><P> match protocol http url "*root.exe*"</P><P> match protocol http url "*SAMPLE*.exe*"</P><P> match protocol http url "*sample*.exe*"</P><P> match protocol http url "*riched20.dll*"</P><P> match protocol http url "*cool.dll*"</P><P> match protocol http url "*sample.eml*"</P><P> match protocol http url "*httpodbc.dll*"</P><P> match protocol http url "*readme2.eml*"</P><P> match protocol http url "*readme.eml*"</P><P> match protocol http url "*admin.dll*"</P><P>! </P><P>! </P><P>policy-map mark_http_hacks</P><P> description policy map that marks inbound http hacks</P><P> class http_hack</P><P> set ip dscp 1</P><P></P><P>access-list 110 deny ip any any dscp 1 log</P><P>access-list permit ip any any</P><P></P><P>After that one of our colleague decided to change the value from ?set ip dscp 1? to ?set ip dscp 2? and modified the same value in extended access-list (deny ip any any dscp 2 log), As soon as he changed he was able to browse without any problem.</P><P></P><P>Now, I would like to explore more on the same by asking you the following question:-</P><P></P><P>Why packet was getting dropped on our router?</P><P>By changing the value are we compromising with our network security?</P><P>Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP</P><P></P><P>Thanks is advance.</P><P></P><P>Regards,</P><P>Khan</P><P></P> Mon, 11 Mar 2019 09:02:33 GMT https://community.cisco.com/t5/network-security/dscp/m-p/628903#M1035075 azmath.hk 2019-03-11T09:02:33Z https://community.cisco.com/t5/network-security/dscp/m-p/628904#M1035078 <HTML><HEAD></HEAD><BODY><P>please help me out</P></BODY></HTML> Thu, 30 Nov 2006 02:35:01 GMT https://community.cisco.com/t5/network-security/dscp/m-p/628904#M1035078 azmath.hk 2006-11-30T02:35:01Z https://community.cisco.com/t5/network-security/dscp/m-p/628905#M1035081 <HTML><HEAD></HEAD><BODY><P>OK, </P><P></P><P>Here's the deal, from a 'overview' perspective.</P><P></P><P>Any packet(http) that has a URL that contains any of those strings that are in the quotes basically gets marked, and anything matching that mark gets dropped and logged.</P><P></P><P>Are you a little less secure because of this? Yes. Several of those lines deal with blocking code red:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#markinboundhacks" target="_blank">http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#markinboundhacks</A></P><P></P><P>sample.exe/riche20.dll/cool.dll blocking is probably because of Nimda or a variant, and the others appear to be a remote admin hack.</P><P></P><P>(Quick tip: google those file names (ie admin.dll) and the word 'virus' in google and you can read up on them. </P><P></P><P>What you did by setting them to dscp 2 is that your access list only blocks stuff marked with dscp 1. By setting everything to 2, it doesn't match that line and is allowed out.</P><P></P><P>What you need to find out is what it is getting dropped on (in theory you're logging that)</P><P></P><P>Here's some more information on dscp:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b2409.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b2409.html</A></P><P></P><P>Hmmm, I just reread your note about setting both the policy map and access-list to dscp 2 - I would *verify* that it is the case. </P><P></P><P>The other thing is, look at that site and see why it is matching any of those strings.</P><P></P><P>--Jason</P><P></P><P>Please rate this message if it solved or answered some or all of your question/issue.</P></BODY></HTML> Thu, 30 Nov 2006 02:59:29 GMT https://community.cisco.com/t5/network-security/dscp/m-p/628905#M1035081 jgervia_2 2006-11-30T02:59:29Z https://community.cisco.com/t5/network-security/dscp/m-p/628906#M1035082 <HTML><HEAD></HEAD><BODY><P>Hi jason,</P><P></P><P>Thank you very much for your response.</P><P></P><P>First, we are changing setting to 2 in both (policy map and access-list), so how come we are ignoring those strings. See the following.</P><P></P><P>? dscp1?required for all classes. Specifies one of 64</P><P>DSCP values from 0 to 63. This DSCP value corresponds</P><P>to drop precedence 1.</P><P>Chhetry, Prakash says:</P><P>dscp2?(Optional for AF classes) Specifies one of 64</P><P>DSCP values from 0 to 63. This DSCP value corresponds</P><P>to drop precedence 2.</P><P>? dscp3?(Optional for AF classes) Specifies one of 64</P><P>DSCP values from 0 to 63. This DSCP value corresponds</P><P>to drop precedence 3.</P><P></P><P>I just need little more detailed notes on DSCP 1 and 2. </P><P></P><P>Still I do not understand why it is working when we change it to 2?</P><P></P><P>How do we verify that those websites whether they are matching any of the strings which we have specified in out access-list.</P><P></P><P>Regards,</P><P>Khan</P><P></P></BODY></HTML> Thu, 30 Nov 2006 19:12:56 GMT https://community.cisco.com/t5/network-security/dscp/m-p/628906#M1035082 azmath.hk 2006-11-30T19:12:56Z