[c-nsp] Cisco nbar - How to detect media streamings

[Eric Pylko]

> -------- Original Message --------
> Subject: Re: [c-nsp] Cisco nbar - How to detect media streamings
> From: Matt Stevens <matt at elevate.org>
> Date: Fri, June 23, 2006 2:59 pm
> To: Velasquez Venegas Jaime Omar <jaime at ulima.edu.pe>
> Cc: cisco-nsp at puck.nether.net
>
> Most of the newer P2P PDLM files will detect the protocol on any port.
>
> They appear in the list as being bound to their well-known port(s), but
> will detect traffic matching the signature on any port.
> --
> matt
>

I was just trying to do something similar - block protocols with NBAR.
Cisco has a document on their website that goes something like this 
(my config which didn't work):

!
class-map match-any StreamingMedia
  match protocol cuseeme
  match protocol fasttrack
  match protocol gnutella
  match protocol kazaa2
  match protocol napster
  match protocol netshow
  match protocol rtp
  match protocol rtspplayer
  match protocol vdolive
  match protocol streamwork
!
!
policy-map mark-StreamingMedia
  class StreamingMedia
   set ip dscp 1

access-list 105 deny ip any any dscp 1
access-list 105 permit ip any any
!

The idea is that you apply the service policy inbound from the internet
(which I did). I then applied ACL 105 outbound towards my pix. The
result? People on the inside were not able to view web pages outside
their network. People outside could originate connections inbound
including connections to web servers in the DMZ. I was getting hits on
both lines of the ACL; a little less than 5% of the hits were the first
line.

Any ideas? Or do I need t open a TAC case?

-Eric

I haven't had time to look at it more; my initial guess is that I need a
class default to set dscp to 0.