Snippet from http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_fpm/configuration/12-4t/sec-flex-pack-match.html#GUID-884336F7-B2CB-4092-9E0E-ED092911E7EB
Example: Configuring FPM for MyDoom Packets The following example shows how to configure FPM for MyDoom packets. The match criteria is as follows: - 90 > IP length > 44 - pattern 0x47455420 at 40 bytes from start of IP header or - IP length > 44 - pattern 0x6d3a3830 at 48 bytes from start of IP header - pattern 0x47455420 at 40 bytes from start of IP header Router(config)# load protocol disk2:ip.phdf Router(config)# load protocol disk2:tcp.phdf Router(config)# class-map type stack match-all ip-tcp Router(config-cmap)# match field ip protocol eq 0x6 next tcp Router(config)# class-map type access-control match-all mydoom1 Router(config-cmap)# match field ip length gt 44 Router(config-cmap)# match field ip length lt 90 Router(config-cmap)# match start l3-start offset 40 size 4 eq 0x47455420 Router(config)# class-map type access-control match-all mydoom2 Router(config-cmap)# match field ip length gt 44*Router(config-cmap)# match start l3-start offset 40 size 4 eq 0x47455420 Router(config-cmap)# match start l3-start offset 48 size 4 eq 0x6d3a3830 * Router(config)# policy-map type access-control fpm-tcp-policy Router(config-pmap)# class mydoom1 Router(config-pmap-c)# drop Router(config-pmap-c)# class mydoom2 Router(config-pmap-c)# drop Router(config)# policy-map type access-control fpm-policy Router(config-pmap)# class ip-tcp Router(config-pmap-c)# service-policy fpm-tcp-policy Router(config)# interface gigabitEthernet 0/1 Router(config-if)# service-policy type access-control input fpm-policy With regards Kings On Fri, Mar 30, 2012 at 11:16 AM, Jónatan Þór Jónasson <[email protected]>wrote: > Hi, > > I hope I'm not asking a repeated question, I've gone through the archives > and unable to find the answer... > > So I'm trying to understand FPM... > > What I can't wrap my head around, is the MyDoom example. > It's in IPExpert's OWLE Lab (D4/7.1) and repeated examples on Cisco's > website ( > http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html#wp1054220) > > The criteria is as follows: > .90 > IP length > 44 > .pattern 0x47455420 at 40 bytes from start of IP header > or > .IP length > 44 > .pattern 0x6d3a3830 at 48 bytes from start of IP header > .pattern 0x47455420 at 40 bytes from start of IP header > > The part of the solution is. > In class-map 1, the offset is set at "40" (sounds right, starts at 40 > bytes) > In class-map 2, the first offset is set at "78" (Where does this 78 come > from, why not 48??) > > Full solution according to both Cisco's documentation and IP Expert's DSG > is below... > > In the XML version of this same thing, as provided by Cisco, they type it > out like this: > class-map 1: tcpheader(5)*4+20 (equals 40) > class-map 2: tcpheader(5)*4+58 (equals 78) > > > > Can anyone help me out and kindly explain to me where the number "78" > comes from? > > > Complete config according to Cisco's doc: > > load protocol disk2:ip.phdf > load protocol disk2:tcp.phdf > > > class-map type stack match-all ip-tcp > match field ip protocol eq 0x6 next tcp > > class-map type access-control match-all mydoom1 > match field ip length gt 44 > match field ip length lt 90 > match start l3-start offset 40 size 4 eq 0x47455420 > > class-map type access-control match-all mydoom2 > match field ip length gt 44 > match start l3-start offset 40 size 4 eq 0x47455420 > match start l3-start offset 78 size 4 eq 0x6d3a3830 > > policy-map type access-control fpm-tcp-policy > class mydoom1 > drop > class mydoom2 > drop > > policy-map type access-control fpm-policy > class ip-tcp > service-policy fpm-tcp-policy > > > With best regards, > Jonatan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
