11-29-2006 06:39 PM - edited 03-03-2019 02:51 PM
All,
Problem was started, when one user was not able to access some websites.
So we decided to run ?debug ip packet ? on our router (perimeter device) and noticed that packet was getting dropped on our router, because of the following policy-map mark_http_hacks access-list .
class-map match-any http_hack
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*SAMPLE*.exe*"
match protocol http url "*sample*.exe*"
match protocol http url "*riched20.dll*"
match protocol http url "*cool.dll*"
match protocol http url "*sample.eml*"
match protocol http url "*httpodbc.dll*"
match protocol http url "*readme2.eml*"
match protocol http url "*readme.eml*"
match protocol http url "*admin.dll*"
!
!
policy-map mark_http_hacks
description policy map that marks inbound http hacks
class http_hack
set ip dscp 1
access-list 110 deny ip any any dscp 1 log
access-list permit ip any any
After that one of our colleague decided to change the value from ?set ip dscp 1? to ?set ip dscp 2? and modified the same value in extended access-list (deny ip any any dscp 2 log), As soon as he changed he was able to browse without any problem.
Now, I would like to explore more on the same by asking you the following question:-
Why packet was getting dropped on our router?
By changing the value are we compromising with our network security?
Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP
Thanks is advance.
Regards,
Khan
11-29-2006 08:18 PM
Hi khan,
Why packet was getting dropped on our router?
I have to see the ip packet debug details to answer this question.
By changing the value are we compromising with our network security?
No You can understand this be reading DSCP /Tos Details.
Where can I get more information about dscp values(1,2, etc) and about this particular access-list and http attacks and what is DSCP
http://www.cisco.com/warp/public/105/dscpvalues.html
and
your case is explained at
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
pls rate if it helps.
11-30-2006 12:12 AM
Could please post the sh run of your perimiter router.
Narayan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide