You guys have to show it working ;). I am glad you posted this guys because
I was not sure. I had to test before commenting.
R2(config-subif)#do sh policy-map int s0/1/0.256 out
Serial0/1/0.256
Service-policy output: MQC
Class-map: TESTURI (match-all)
13 packets, 3743 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "(*default\.ida|*cmd\.exe|*root\.exe)"
drop
Class-map: SECOND (match-any)
0 packets, 0 bytes
5 minute offered rate 0 bps, drop rate 0 bps
Match: protocol http url "*default.ida*"
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol http url "default.ida"
0 packets, 0 bytes
5 minute rate 0 bps
drop
Class-map: class-default (match-any)
447 packets, 48085 bytes
5 minute offered rate 3000 bps, drop rate 0 bps
Match: any
R2(config-subif)#
It matched when doing tests of cmd.exe root.exe and default.ida
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Managing Partner / Sr. Instructor - IPexpert, Inc.
Mailto: <mailto:[email protected]> [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: <http://www.ipexpert.com/chat>
www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at <http://www.ipexpert.com/> www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Mark Senteza
Sent: Tuesday, February 08, 2011 8:02 PM
To: Jerome Dolphin
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] NIMDA regex to check !!!
Try
class-map CMAP_ATTACK
match protocol http url "(*default\.ida|*cmd\.exe|*root\.exe)"
On Mon, Feb 7, 2011 at 1:14 PM, Jerome Dolphin <[email protected]> wrote:
I don't think so - IOS is not expecting a regular expression but rather a
string.
http://www.cisco.com/en/US/partner/docs/ios/qos/command/reference/qos_m1.htm
l#wp1058795
match protocol http [url url-string ...]
On Sat, Feb 5, 2011 at 10:45 PM, kamran shakil <[email protected]>
wrote:
if i have to match strings in URL , is the following correct and does the
same:
match protocol http url "(.ida|(cmd|root).exe)" serves the same purpose
as below:
class-map match-any CMAP_ATTACK
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
