Re: [OSL | CCIE_Security] FPM access-control options of matching data

[Tyson Scott]

One more thing

 

Personally I like to use the stack option and when I do that if I am looking
UDP or TCP I can use

match start [UDP|TCP] payload offset <offset> [regex|pattern] <value>

This takes care of the header offset already for me.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Managing Partner / Sr. Instructor - IPexpert, Inc.

Mailto: tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit: www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com
<http://www.ipexpert.com/> 

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Monday, April 05, 2010 10:40 AM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] FPM access-control options of matching data

 

Hi all

 

I need claficiation on the data matching options in FPM.

 

router(config-cmap)#match start l3-start offset 123 size 4 ?
  eq      eq
  gt      gt
  lt      lt
  neq     neq
  range   range
  regex   regex
  string  string

 

 

When do we use eq, string and regex?

 

 

My understanding is that, when you want to directly match the hex pattern in
the packet, then we use "eq" as following:

 

 

Router(config)# class-map type access-control match-all mydoom2
Router(config-cmap)# match field ip length gt 44
Router(config-cmap)# match start l3-start offset 40 size 4 eq 0x47455420
Router(config-cmap)# match start l3-start offset 78 size 4 eq 0x6d3a3830
We should regex or string, when we need to match letters or alaphabets which
is not hex as following:
 
class-map type access-control match-all test-class
 match field TCP dest-port gt 10
 match start l3-start offset 40 size 32 regex "ABCD"
class-map type access-control match-all test-class
 match field TCP dest-port gt 10
 match start l3-start offset 40 size 32 string "ABCD"
 
The IOS will be convert ABCD into ASCII, then into hex and then will search
the packet for the hex value
 
 
 
Please let me know, your thoughts.
 

 

 

With regards

Kings


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com