11-29-2006 05:22 PM - edited 03-11-2019 02:02 AM
All,
Problem was started, when one user was not able to access some websites.
So we decided to run ?debug ip packet ? on our router (perimeter device) and noticed that packet was getting dropped on our router, because of the following policy-map mark_http_hacks access-list .
class-map match-any http_hack
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*SAMPLE*.exe*"
match protocol http url "*sample*.exe*"
match protocol http url "*riched20.dll*"
match protocol http url "*cool.dll*"
match protocol http url "*sample.eml*"
match protocol http url "*httpodbc.dll*"
match protocol http url "*readme2.eml*"
match protocol http url "*readme.eml*"
match protocol http url "*admin.dll*"
!
!
policy-map mark_http_hacks
description policy map that marks inbound http hacks
class http_hack
set ip dscp 1
access-list 110 deny ip any any dscp 1 log
access-list permit ip any any
After that one of our colleague decided to change the value from ?set ip dscp 1? to ?set ip dscp 2? and modified the same value in extended access-list (deny ip any any dscp 2 log), As soon as he changed he was able to browse without any problem.
Now, I would like to explore more on the same by asking you the following question:-
Why packet was getting dropped on our router?
By changing the value are we compromising with our network security?
Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP
Thanks is advance.
Regards,
Khan
11-29-2006 06:35 PM
please help me out
11-29-2006 06:59 PM
OK,
Here's the deal, from a 'overview' perspective.
Any packet(http) that has a URL that contains any of those strings that are in the quotes basically gets marked, and anything matching that mark gets dropped and logged.
Are you a little less secure because of this? Yes. Several of those lines deal with blocking code red:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#markinboundhacks
sample.exe/riche20.dll/cool.dll blocking is probably because of Nimda or a variant, and the others appear to be a remote admin hack.
(Quick tip: google those file names (ie admin.dll) and the word 'virus' in google and you can read up on them.
What you did by setting them to dscp 2 is that your access list only blocks stuff marked with dscp 1. By setting everything to 2, it doesn't match that line and is allowed out.
What you need to find out is what it is getting dropped on (in theory you're logging that)
Here's some more information on dscp:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b2409.html
Hmmm, I just reread your note about setting both the policy map and access-list to dscp 2 - I would *verify* that it is the case.
The other thing is, look at that site and see why it is matching any of those strings.
--Jason
Please rate this message if it solved or answered some or all of your question/issue.
11-30-2006 11:12 AM
Hi jason,
Thank you very much for your response.
First, we are changing setting to 2 in both (policy map and access-list), so how come we are ignoring those strings. See the following.
? dscp1?required for all classes. Specifies one of 64
DSCP values from 0 to 63. This DSCP value corresponds
to drop precedence 1.
Chhetry, Prakash says:
dscp2?(Optional for AF classes) Specifies one of 64
DSCP values from 0 to 63. This DSCP value corresponds
to drop precedence 2.
? dscp3?(Optional for AF classes) Specifies one of 64
DSCP values from 0 to 63. This DSCP value corresponds
to drop precedence 3.
I just need little more detailed notes on DSCP 1 and 2.
Still I do not understand why it is working when we change it to 2?
How do we verify that those websites whether they are matching any of the strings which we have specified in out access-list.
Regards,
Khan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide