Hi, I hope I'm not asking a repeated question, I've gone through the archives and unable to find the answer...
So I'm trying to understand FPM... What I can't wrap my head around, is the MyDoom example. It's in IPExpert's OWLE Lab (D4/7.1) and repeated examples on Cisco's website (http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html#wp1054220) The criteria is as follows: .90 > IP length > 44 .pattern 0x47455420 at 40 bytes from start of IP header or .IP length > 44 .pattern 0x6d3a3830 at 48 bytes from start of IP header .pattern 0x47455420 at 40 bytes from start of IP header The part of the solution is. In class-map 1, the offset is set at "40" (sounds right, starts at 40 bytes) In class-map 2, the first offset is set at "78" (Where does this 78 come from, why not 48??) Full solution according to both Cisco's documentation and IP Expert's DSG is below... In the XML version of this same thing, as provided by Cisco, they type it out like this: class-map 1: tcpheader(5)*4+20 (equals 40) class-map 2: tcpheader(5)*4+58 (equals 78) Can anyone help me out and kindly explain to me where the number "78" comes from? Complete config according to Cisco's doc: load protocol disk2:ip.phdf load protocol disk2:tcp.phdf class-map type stack match-all ip-tcp match field ip protocol eq 0x6 next tcp class-map type access-control match-all mydoom1 match field ip length gt 44 match field ip length lt 90 match start l3-start offset 40 size 4 eq 0x47455420 class-map type access-control match-all mydoom2 match field ip length gt 44 match start l3-start offset 40 size 4 eq 0x47455420 match start l3-start offset 78 size 4 eq 0x6d3a3830 policy-map type access-control fpm-tcp-policy class mydoom1 drop class mydoom2 drop policy-map type access-control fpm-policy class ip-tcp service-policy fpm-tcp-policy With best regards, Jonatan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
