It works because ZBFW does not look at exact value in the HTTP header server field. Instead it joins two regex strings: 1. "^[Ss][Ee][Rr][Vv][Ee][Rr]:" - which indicates server field in http header 2. ".*cisco-IOS" - which is configured by the user
So you need to take into consideration that there is a space between "Server:" and "cisco-IOS". The same is true for every field in the http header for example when you want to match Host field you should use ".*example.com" or ".* http://www.example.com"; to address that space. Check Cisco documentation and you will see they always use ".*" before the domain name they want to match. HTH, -- Piotr Matusiak CCIE #19860 (R&S, SEC) Technical Instructor MicronicsTraining.com “If you can't explain it simply, you don't understand it well enough” - Albert Einstein 2009/10/23 imran mohammed <[email protected]> > WOW this one worked > parameter-map type regex HEADER > pattern .*cisco-IOS > > Thanks alot > > Imran > > > On Fri, Oct 23, 2009 at 7:43 PM, Piotr Matusiak <[email protected]> wrote: > >> LOL, here it is: >> >> parameter-map type regex IMRAN >> no pattern cisco-IOS >> >> pattern ".*cisco-IOS" >> >> >> -- >> Piotr Matusiak >> CCIE #19860 (R&S, SEC) >> Technical Instructor >> MicronicsTraining.com >> >> “If you can't explain it simply, you don't understand it well enough” - >> Albert Einstein >> >> >> 2009/10/23 imran mohammed <[email protected]> >> >>> Hey I think my mind is totally out now.Can you just put the whole command >>> so that i can copy n paste.Sorry for that. >>> >>> Regards >>> imran >>> >>> >>> On Fri, Oct 23, 2009 at 7:35 PM, Piotr Matusiak <[email protected]> wrote: >>> >>>> I said you should use pattern of: pattern ".*cisco-IOS" >>>> >>>> >>>> -- >>>> Piotr Matusiak >>>> CCIE #19860 (R&S, SEC) >>>> Technical Instructor >>>> MicronicsTraining.com >>>> >>>> “If you can't explain it simply, you don't understand it well enough” - >>>> Albert Einstein >>>> >>>> >>>> 2009/10/23 imran mohammed <[email protected]> >>>> >>>>> That didnt work. >>>>> >>>>> parameter-map type regex HEADER >>>>> pattern ^[Ss][Ee][Rr][Vv][Ee][Rr]:.*cisco-IOS >>>>> >>>>> >>>>> class-map type inspect http match-all HTTP_TRAFFIC >>>>> match response header server regex HEADER >>>>> >>>>> If i just give the command "match response header server" it works the >>>>> action is specify and i alos see a log generating.it doesnt work with >>>>> regex. >>>>> >>>>> Regards >>>>> Imran >>>>> On Fri, Oct 23, 2009 at 6:53 PM, Piotr Matusiak <[email protected]>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> This not work simply because you used slightly wrong pattern to match >>>>>> the header field. >>>>>> In HTTP header the server field looks like: >>>>>> Server: cisco-IOS\r\n >>>>>> >>>>>> So ZBFW must match packets using the following regex string: >>>>>> ^[Ss][Ee][Rr][Vv][Ee][Rr]:.*cisco-IOS >>>>>> >>>>>> There is a space between "Server" and "cisco-IOS" so the correct >>>>>> pattern looks like: >>>>>> pattern ".*cisco-IOS" >>>>>> >>>>>> HTH, >>>>>> -- >>>>>> Piotr Matusiak >>>>>> CCIE #19860 (R&S, SEC) >>>>>> Technical Instructor >>>>>> MicronicsTraining.com >>>>>> >>>>>> “If you can't explain it simply, you don't understand it well enough” >>>>>> - Albert Einstein >>>>>> >>>>>> >>>>>> 2009/10/23 imran mohammed <[email protected]> >>>>>> >>>>>> Hi all, >>>>>>> >>>>>>> Iam trying to match sever feild in the http response header if I see >>>>>>> cisco-IOS (for cisco IOS http server) the connection should get reset >>>>>>> here >>>>>>> is my config >>>>>>> >>>>>>> parameter-map type regex IMRAN >>>>>>> pattern cisco-IOS >>>>>>> >>>>>>> >>>>>>> >>>>>>> class-map type inspect http match-all HTTP_TRAFFIC >>>>>>> match response header server regex IMRAN >>>>>>> policy-map type inspect http PMAP_DMZ_TO_SERVER >>>>>>> class type inspect http HTTP_TRAFFIC >>>>>>> reset >>>>>>> class-map type inspect match-any CMAP_DMZ_TO_OUTSIDE >>>>>>> match protocol http >>>>>>> >>>>>>> policy-map type inspect PMAP_DMZ_TO_OUTSIDE >>>>>>> class type inspect CMAP_DMZ_TO_OUTSIDE >>>>>>> inspect >>>>>>> service-policy http PMAP_DMZ_TO_SERVER >>>>>>> class class-default >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> zone security ZONE_INSIDE >>>>>>> zone security ZONE_OUTSIDE >>>>>>> zone security ZONE_DMZ >>>>>>> >>>>>>> zone-pair security DMZ_TO_OUTSIDE source ZONE_DMZ destination >>>>>>> ZONE_OUTSIDE >>>>>>> service-policy type inspect PMAP_DMZ_TO_OUTSIDE >>>>>>> >>>>>>> In ASA after creating regex we can test the regex is there anything >>>>>>> similar >>>>>>> in cisco IOS.Can some one provide me a doc where i can see examples >>>>>>> for >>>>>>> layer 7 policies in IOS ZWF. >>>>>>> >>>>>>> Once this works.I want to try to change the content of the server >>>>>>> feild >>>>>>> (basically to spoof the server) How to do that ? >>>>>>> >>>>>>> >>>>>>> Regards >>>>>>> Imran >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
