Re: [OSL | CCIE_Security] ZWF http response match

Fri, 23 Oct 2009 11:02:05 -0700 

You can actually simplify that to
^Server: cisco-IOS
Or
^Server:\tcisco-IOS

I am not sure if that is a tab or a space in the output

[sS] just means it will match it if it is upper or lower case.

As shown below we know the case so we don't have to account for variations.

.* means any character 0 or more instances.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.

Telephone: +1.810.326.1444 
Cell: +1.248.504.7309
Fax: +1.810.454.0130
Mailto:  [email protected]
 


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Piotr Matusiak
Sent: Friday, October 23, 2009 9:24 AM
To: imran mohammed
Cc: Cisco certification; OSL CCIE Security Lab Exam
Subject: Re: ZWF http response match

Hi,

This not work simply because you used slightly wrong pattern to match the
header field.
In HTTP header the server field looks like:
Server: cisco-IOS\r\n

So ZBFW must match packets using the following regex string:
^[Ss][Ee][Rr][Vv][Ee][Rr]:.*cisco-IOS

There is a space between "Server" and "cisco-IOS" so the correct pattern
looks like:
pattern ".*cisco-IOS"

HTH,
--
Piotr Matusiak
CCIE #19860 (R&S, SEC)
Technical Instructor
MicronicsTraining.com

If you can't explain it simply, you don't understand it well enough -
Albert Einstein


2009/10/23 imran mohammed <[email protected]>

> Hi all,
>
> Iam trying to match sever feild in the http response header if I see
> cisco-IOS (for cisco IOS http server) the connection should get reset here
> is my config
>
> parameter-map type regex IMRAN
>  pattern cisco-IOS
>
>
>
> class-map type inspect http match-all HTTP_TRAFFIC
>  match  response header server regex IMRAN
> policy-map type inspect http PMAP_DMZ_TO_SERVER
>  class type inspect http HTTP_TRAFFIC
>  reset
> class-map type inspect match-any CMAP_DMZ_TO_OUTSIDE
>  match protocol http
>
> policy-map type inspect PMAP_DMZ_TO_OUTSIDE
>  class type inspect CMAP_DMZ_TO_OUTSIDE
>  inspect
>  service-policy http PMAP_DMZ_TO_SERVER
>  class class-default
>
>
>
>
> zone security ZONE_INSIDE
> zone security ZONE_OUTSIDE
> zone security ZONE_DMZ
>
> zone-pair security DMZ_TO_OUTSIDE source ZONE_DMZ destination ZONE_OUTSIDE
>  service-policy type inspect PMAP_DMZ_TO_OUTSIDE
>
> In ASA after creating regex we can test the regex is there anything
similar
> in cisco IOS.Can some one provide me a doc where i can see examples for
> layer 7 policies in IOS ZWF.
>
> Once this works.I want to try to change the content of the server feild
> (basically to spoof the server) How to do that ?
>
>
> Regards
> Imran


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Reply via email to