All,

Problem was started, when one user was not able to access some websites.

So we decided to run ?debug ip packet ? on our router (perimeter device) and noticed that packet was getting dropped on our router, because of the following policy-map mark_http_hacks access-list .

class-map match-any http_hack

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*SAMPLE*.exe*"

match protocol http url "*sample*.exe*"

match protocol http url "*riched20.dll*"

match protocol http url "*cool.dll*"

match protocol http url "*sample.eml*"

match protocol http url "*httpodbc.dll*"

match protocol http url "*readme2.eml*"

match protocol http url "*readme.eml*"

match protocol http url "*admin.dll*"

!

!

policy-map mark_http_hacks

description policy map that marks inbound http hacks

class http_hack

set ip dscp 1

access-list 110 deny ip any any dscp 1 log

access-list permit ip any any

After that one of our colleague decided to change the value from ?set ip dscp 1? to ?set ip dscp 2? and modified the same value in extended access-list (deny ip any any dscp 2 log), As soon as he changed he was able to browse without any problem.

Now, I would like to explore more on the same by asking you the following question:-

Why packet was getting dropped on our router?

By changing the value are we compromising with our network security?

Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP

Thanks is advance.

Regards,

Khan