Looking at Cisco's example and their match criteria for example 2, I would think the 78 is a typo and it should read 48. Anybody else that knows feel free to jump in, that is just at first glance and I really don't know FPM very well at the moment.
On Fri, Mar 30, 2012 at 1:46 AM, Jónatan Þór Jónasson <[email protected]>wrote: > Hi, > > I hope I'm not asking a repeated question, I've gone through the archives > and unable to find the answer... > > So I'm trying to understand FPM... > > What I can't wrap my head around, is the MyDoom example. > It's in IPExpert's OWLE Lab (D4/7.1) and repeated examples on Cisco's > website ( > http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_fpm.html#wp1054220) > > The criteria is as follows: > .90 > IP length > 44 > .pattern 0x47455420 at 40 bytes from start of IP header > or > .IP length > 44 > .pattern 0x6d3a3830 at 48 bytes from start of IP header > .pattern 0x47455420 at 40 bytes from start of IP header > > The part of the solution is. > In class-map 1, the offset is set at "40" (sounds right, starts at 40 > bytes) > In class-map 2, the first offset is set at "78" (Where does this 78 come > from, why not 48??) > > Full solution according to both Cisco's documentation and IP Expert's DSG > is below... > > In the XML version of this same thing, as provided by Cisco, they type it > out like this: > class-map 1: tcpheader(5)*4+20 (equals 40) > class-map 2: tcpheader(5)*4+58 (equals 78) > > > > Can anyone help me out and kindly explain to me where the number "78" > comes from? > > > Complete config according to Cisco's doc: > > load protocol disk2:ip.phdf > load protocol disk2:tcp.phdf > > > class-map type stack match-all ip-tcp > match field ip protocol eq 0x6 next tcp > > class-map type access-control match-all mydoom1 > match field ip length gt 44 > match field ip length lt 90 > match start l3-start offset 40 size 4 eq 0x47455420 > > class-map type access-control match-all mydoom2 > match field ip length gt 44 > match start l3-start offset 40 size 4 eq 0x47455420 > match start l3-start offset 78 size 4 eq 0x6d3a3830 > > policy-map type access-control fpm-tcp-policy > class mydoom1 > drop > class mydoom2 > drop > > policy-map type access-control fpm-policy > class ip-tcp > service-policy fpm-tcp-policy > > > With best regards, > Jonatan > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
