[c-nsp] Cisco nbar - How to detect media streamings

Jorge Evangelista netsecuredata at gmail.com
Sat Jul 1 00:31:24 EDT 2006 

Hi Eric, you can try it.

class-map match-any StreamingMedia
 match protocol cuseeme file-transfer *
 match protocol fasttrack file-transfer *
 match protocol gnutella file-transfer *
 match protocol kazaa2 file-transfer *
 match protocol napster  file-transfer *
 match protocol netshow file-transfer *
 match protocol rtp file-transfer *
 match protocol rtspplayer file-transfer *
 match protocol vdolive file-transfer *
 match protocol streamwork file-transfer *
!
!
policy-map mark-StreamingMedia
 class StreamingMedia
  set ip dscp 1
!
access-list 105 deny ip any any dscp 1
access-list 105 permit ip any any
!

int FastEthernet0
   description PIX/Inside facing interface
   service-policy input StreamingMedia

int Serial0
   description Internet/Outside facing interface
   ip access-group 105 out




On 6/25/06, Eric Pylko <eric at infinitenetworks.us> wrote:
>
>
> > -------- Original Message --------
> > Subject: Re: [c-nsp] Cisco nbar - How to detect media streamings
> > From: Matt Stevens <matt at elevate.org>
> > Date: Fri, June 23, 2006 2:59 pm
> > To: Velasquez Venegas Jaime Omar <jaime at ulima.edu.pe>
> > Cc: cisco-nsp at puck.nether.net
> >
> > Most of the newer P2P PDLM files will detect the protocol on any port.
> >
> > They appear in the list as being bound to their well-known port(s), but
> > will detect traffic matching the signature on any port.
> > --
> > matt
> >
>
> I was just trying to do something similar - block protocols with NBAR.
> Cisco has a document on their website that goes something like this
> (my config which didn't work):
>
> !
> class-map match-any StreamingMedia
>  match protocol cuseeme
>  match protocol fasttrack
>  match protocol gnutella
>  match protocol kazaa2
>  match protocol napster
>  match protocol netshow
>  match protocol rtp
>  match protocol rtspplayer
>  match protocol vdolive
>  match protocol streamwork
> !
> !
> policy-map mark-StreamingMedia
>  class StreamingMedia
>   set ip dscp 1
>
> access-list 105 deny ip any any dscp 1
> access-list 105 permit ip any any
> !
>
> The idea is that you apply the service policy inbound from the internet
> (which I did). I then applied ACL 105 outbound towards my pix. The
> result? People on the inside were not able to view web pages outside
> their network. People outside could originate connections inbound
> including connections to web servers in the DMZ. I was getting hits on
> both lines of the ACL; a little less than 5% of the hits were the first
> line.
>
> Any ideas? Or do I need t open a TAC case?
>
> -Eric
>
> I haven't had time to look at it more; my initial guess is that I need a
> class default to set dscp to 0.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


-- 
"The network is the computer"

More information about the cisco-nsp mailing list