Yeah I got that now.Thanks for the info.
Regards Imran On Fri, Oct 23, 2009 at 8:06 PM, Piotr Matusiak <[email protected]> wrote: > It works because ZBFW does not look at exact value in the HTTP header > server field. Instead it joins two regex strings: > 1. "^[Ss][Ee][Rr][Vv][Ee][Rr]:" - which indicates server field in http > header > 2. ".*cisco-IOS" - which is configured by the user > > So you need to take into consideration that there is a space between > "Server:" and "cisco-IOS". > The same is true for every field in the http header for example when you > want to match Host field you should use ".*example.com" or ".* > http://www.example.com"; to address that space. Check Cisco documentation > and you will see they always use ".*" before the domain name they want to > match. > > > HTH, > -- > Piotr Matusiak > CCIE #19860 (R&S, SEC) > Technical Instructor > MicronicsTraining.com > > “If you can't explain it simply, you don't understand it well enough” - > Albert Einstein > > > 2009/10/23 imran mohammed <[email protected]> > >> WOW this one worked >> parameter-map type regex HEADER >> pattern .*cisco-IOS >> >> Thanks alot >> >> Imran >> >> >> On Fri, Oct 23, 2009 at 7:43 PM, Piotr Matusiak <[email protected]> wrote: >> >>> LOL, here it is: >>> >>> >>> parameter-map type regex IMRAN >>> no pattern cisco-IOS >>> >>> pattern ".*cisco-IOS" >>> >>> >>> -- >>> Piotr Matusiak >>> CCIE #19860 (R&S, SEC) >>> Technical Instructor >>> MicronicsTraining.com >>> >>> “If you can't explain it simply, you don't understand it well enough” - >>> Albert Einstein >>> >>> >>> 2009/10/23 imran mohammed <[email protected]> >>> >>>> Hey I think my mind is totally out now.Can you just put the whole >>>> command so that i can copy n paste.Sorry for that. >>>> >>>> Regards >>>> imran >>>> >>>> >>>> On Fri, Oct 23, 2009 at 7:35 PM, Piotr Matusiak <[email protected]>wrote: >>>> >>>>> I said you should use pattern of: pattern ".*cisco-IOS" >>>>> >>>>> >>>>> -- >>>>> Piotr Matusiak >>>>> CCIE #19860 (R&S, SEC) >>>>> Technical Instructor >>>>> MicronicsTraining.com >>>>> >>>>> “If you can't explain it simply, you don't understand it well enough” - >>>>> Albert Einstein >>>>> >>>>> >>>>> 2009/10/23 imran mohammed <[email protected]> >>>>> >>>>>> That didnt work. >>>>>> >>>>>> parameter-map type regex HEADER >>>>>> pattern ^[Ss][Ee][Rr][Vv][Ee][Rr]:.*cisco-IOS >>>>>> >>>>>> >>>>>> >>>>>> class-map type inspect http match-all HTTP_TRAFFIC >>>>>> match response header server regex HEADER >>>>>> >>>>>> If i just give the command "match response header server" it works >>>>>> the action is specify and i alos see a log generating.it doesnt work >>>>>> with regex. >>>>>> >>>>>> Regards >>>>>> Imran >>>>>> On Fri, Oct 23, 2009 at 6:53 PM, Piotr Matusiak <[email protected]>wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> This not work simply because you used slightly wrong pattern to match >>>>>>> the header field. >>>>>>> In HTTP header the server field looks like: >>>>>>> Server: cisco-IOS\r\n >>>>>>> >>>>>>> So ZBFW must match packets using the following regex string: >>>>>>> ^[Ss][Ee][Rr][Vv][Ee][Rr]:.*cisco-IOS >>>>>>> >>>>>>> There is a space between "Server" and "cisco-IOS" so the correct >>>>>>> pattern looks like: >>>>>>> pattern ".*cisco-IOS" >>>>>>> >>>>>>> HTH, >>>>>>> -- >>>>>>> Piotr Matusiak >>>>>>> CCIE #19860 (R&S, SEC) >>>>>>> Technical Instructor >>>>>>> MicronicsTraining.com >>>>>>> >>>>>>> “If you can't explain it simply, you don't understand it well enough” >>>>>>> - Albert Einstein >>>>>>> >>>>>>> >>>>>>> 2009/10/23 imran mohammed <[email protected]> >>>>>>> >>>>>>> Hi all, >>>>>>>> >>>>>>>> Iam trying to match sever feild in the http response header if I see >>>>>>>> cisco-IOS (for cisco IOS http server) the connection should get >>>>>>>> reset here >>>>>>>> is my config >>>>>>>> >>>>>>>> parameter-map type regex IMRAN >>>>>>>> pattern cisco-IOS >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> class-map type inspect http match-all HTTP_TRAFFIC >>>>>>>> match response header server regex IMRAN >>>>>>>> policy-map type inspect http PMAP_DMZ_TO_SERVER >>>>>>>> class type inspect http HTTP_TRAFFIC >>>>>>>> reset >>>>>>>> class-map type inspect match-any CMAP_DMZ_TO_OUTSIDE >>>>>>>> match protocol http >>>>>>>> >>>>>>>> policy-map type inspect PMAP_DMZ_TO_OUTSIDE >>>>>>>> class type inspect CMAP_DMZ_TO_OUTSIDE >>>>>>>> inspect >>>>>>>> service-policy http PMAP_DMZ_TO_SERVER >>>>>>>> class class-default >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> zone security ZONE_INSIDE >>>>>>>> zone security ZONE_OUTSIDE >>>>>>>> zone security ZONE_DMZ >>>>>>>> >>>>>>>> zone-pair security DMZ_TO_OUTSIDE source ZONE_DMZ destination >>>>>>>> ZONE_OUTSIDE >>>>>>>> service-policy type inspect PMAP_DMZ_TO_OUTSIDE >>>>>>>> >>>>>>>> In ASA after creating regex we can test the regex is there anything >>>>>>>> similar >>>>>>>> in cisco IOS.Can some one provide me a doc where i can see examples >>>>>>>> for >>>>>>>> layer 7 policies in IOS ZWF. >>>>>>>> >>>>>>>> Once this works.I want to try to change the content of the server >>>>>>>> feild >>>>>>>> (basically to spoof the server) How to do that ? >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> Imran >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
