nbar torrent encrypted

[drascii]

Ciao a tutti,
ho configurato NBAR per bloccare torrent ed altri P2P.
In particolare con torrent non ho ottenuto buoni risultati in due casi:
- uTorrent in modalità non criptata, ho comunque up e download anche se bassi
- uTorrent in modalità criptata, ho upload ed il download abbastanza alti.
Qualcuno ha esperienza in merito ? La mia necessità è di fare un drop.

Grazie a tutti.
Di seguito un estratto della conf:

class-map match-any P2P_MAP
match protocol bittorrent
match protocol napster
match protocol fasttrack
match protocol gnutella
match protocol edonkey
match protocol kazaa2
match protocol directconnect
match protocol winmx

policy-map IN_POLICY
class P2P_MAP
drop

interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
service-policy input IN_POLICY
service-policy output IN_POLICY

[Wizard]

La configurazione è corretta, se fai uno "sh policy-map int vlan10" matchano i pacchetti di bittorrent?
In ogni caso non ho grosse speranze x ora...molti software per il p2p funzioano lostesso, anche con i filtri...

[Wizard]

Se hai router e ios che te lo permettono configura IPS in entrata\uscita per i protocolli di file sharing. Mi sa che funzioni meglio che la tua attuale configurazione!

[drascii]

Si la cosa curiosa è che ho match, per protocolli come edonkey ho buoni risultati, anche se stò verificando cosa succede con applicativi come http-tunnel.
Cosa mi consigli per un BUON INSPECT con l'obbiettivo di limitare o meglio bloccare P2P ?

Vedi sotto (sh policy-map interface vlan 10):

Class-map: P2P_MAP (match-any)
32566 packets, 3961550 bytes
5 minute offered rate 5000 bps, drop rate 5000 bps
Match: protocol bittorrent
32390 packets, 3950900 bytes
5 minute rate 5000 bps
Match: protocol napster
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol fasttrack
4 packets, 248 bytes
5 minute rate 0 bps
Match: protocol gnutella
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol edonkey
2 packets, 120 bytes
5 minute rate 0 bps
Match: protocol kazaa2
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol directconnect
0 packets, 0 bytes
5 minute rate 0 bps
Match: protocol winmx
170 packets, 10282 bytes
5 minute rate 0 bps
drop

[drascii]

Ho questa ver di IOS: c870-advipservicesk9-mz.124-4.T7.bin
Supporta "ip ips" - "ip inspect" e "appfw policy-name".
L'ultimo "appfw policy-name" lo sto' provando per limitare p2p tunnellizzati in http.

[Wizard]

Facci vedere uno sh ver.
Se la ios lo permette, come ti dicevo prima, io configurerei ips x bloccare i protocolli di file sharing.
Mi sa che funzioni meglio (cu vuole un router piottosto potente però).

[drascii]

Router_GW#sh ver
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(4)T7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Wed 29-Nov-06 00:43 by kellythw

ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE

Router_GW uptime is 1 day, 2 hours, 39 minutes
System returned to ROM by power-on
System image file is "flash:c870-advipservicesk9-mz.124-4.T7.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 871 (MPC8272) processor (revision 0x200) with 118784K/12288K bytes of memory.
Processor board ID FHK111212A4
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

[Wizard]

Anche se la ios non è recentissima e il router non è potenstissimo io proverei a configurare ios.
Prova e sappici dire

[drascii]

Ho abilitato ip ips x l'interfaccia "out". Ma una domanda, come posso personalizzare la conf per limitare i p2p ?

[Wizard]

Codice: Seleziona tutto

ip ips signature-category
  category all
   retired true
   event-action reset-tcp-connection deny-packet-inline produce-alert
  category p2p
   retired false
 

Vado a memoria quindi la sintassi potrebbe non essere perfetta.
Facci poi vedere la config completa del router

[andrewp]

SCE

[Wizard]

X la config completa del ips segui questo mio post:

http://www.ciscoforums.it/viewtopic.php?t=5010

[drascii]

Ecco la conf completa:

Router_GW#sh run
Building configuration...

Current configuration : 5611 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router_GW
!
boot-start-marker
boot-end-marker
!
enable secret XXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login LOCAL_AUTHEN local
aaa authorization network LOCAL_AUTHOR local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.100
ip dhcp excluded-address 10.0.0.0 10.0.100.255
!
ip dhcp pool DHCP_10
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.30.10 151.99.250.2
lease 7
!
ip dhcp pool DHCP_20
network 10.0.0.0 255.255.0.0
default-router 10.0.0.67
dns-server 192.168.30.10 151.99.250.2
lease 7
!
!
no ip domain lookup
ip domain name xxxxx.com
ip inspect name INSPECT appfw MY_APPFW_POL
!
appfw policy-name MY_APPFW_POL
application http
port-misuse p2p action reset alarm
port-misuse tunneling action reset alarm
!
!
!
username xxxxxxxxxxxxx password xxxxxxxx
username xxxxxxxxxxxxx password xxxxxxxx
username xxxxxxxxxxxxx password xxxxxxxx
!
!
class-map match-any P2P_MAP
match protocol edonkey
match protocol bittorrent
match protocol gnutella
match protocol fasttrack
match protocol directconnect
match protocol napster
match protocol kazaa2
match protocol winmx
class-map match-any TORRENT_MAP
match protocol http url "*.torrent"
!
!
policy-map IN_POLICY
class P2P_MAP
drop
class TORRENT_MAP
drop
!
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key xxxxx
dns 192.168.30.10
pool IPPOOL
acl SPLIT_ACL
!
!
crypto ipsec transform-set MYSET esp-des esp-md5-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set MYSET
reverse-route
!
!
crypto map CLIENTMAP client authentication list LOCAL_AUTHEN
crypto map CLIENTMAP isakmp authorization list LOCAL_AUTHOR
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface FastEthernet0
switchport access vlan 76
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 20
!
interface FastEthernet3
switchport access vlan 30
!
interface FastEthernet4
description VERSO INT
ip address xxxxxxxx
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
crypto map CLIENTMAP
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
!
interface Vlan20
ip address 10.0.0.67 255.255.0.0
ip access-group NO_WWW_ACL in
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
service-policy input IN_POLICY
service-policy output IN_POLICY
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
service-policy input IN_POLICY
service-policy output IN_POLICY
!
interface Vlan76
ip address 192.168.76.1 255.255.255.0
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
!
ip local pool IPPOOL 172.21.0.20 172.21.0.30
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.3.3.0 255.255.255.0 192.168.10.36
ip route 10.4.4.0 255.255.255.0 192.168.10.36
ip route 192.168.100.0 255.255.255.0 192.168.10.50
!
!
no ip http server
no ip http secure-server
ip nat translation timeout 180
ip nat translation tcp-timeout 180
ip nat translation udp-timeout 180
ip nat translation finrst-timeout 45
ip nat translation syn-timeout 45
ip nat translation dns-timeout 45
ip nat translation icmp-timeout 45
ip nat inside source list NAT_ACL interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.50 22 interface FastEthernet4 1022
!
ip access-list extended NAT_ACL
deny ip 192.168.76.0 0.0.0.255 172.21.0.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 172.21.0.0 0.0.0.255
deny ip 192.168.30.0 0.0.0.255 172.21.0.0 0.0.0.255
deny ip 10.0.0.0 0.0.255.255 172.21.0.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.255.255 any
permit ip 192.168.30.0 0.0.0.255 any
permit ip 10.3.3.0 0.0.0.255 any
permit ip 10.4.4.0 0.0.0.255 any
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended NO_WWW_ACL
permit tcp host 10.0.100.230 host 192.168.30.10 eq www
permit tcp host 10.0.100.229 host 192.168.30.10 eq www
permit tcp host 10.0.100.228 host 192.168.30.10 eq www
deny tcp host 10.0.100.230 any eq www
deny tcp host 10.0.100.229 any eq www
deny tcp host 10.0.100.228 any eq www
permit ip any any
ip access-list extended SPLIT_ACL
permit ip 192.168.76.0 0.0.0.255 172.21.0.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 172.21.0.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 172.21.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.255.255 172.21.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
session-timeout 10
logging synchronous
login authentication LOCAL_AUTHEN
no modem enable
line aux 0
line vty 0 4
session-timeout 10
logging synchronous
login authentication LOCAL_AUTHEN
transport input telnet ssh
!
scheduler max-task-time 5000
end

Router_GW#

[drascii]

Ciao a tutti,
scusate se riprendo l'argomento un po' in ritardo. Ma non ho ottenuto buoni risultati con IPS. Volevo un vostro parere x capire se c'e' qualcosa che non va nella conf o altro.

Questi sono stati i passi:
- aggiornato IOS a (C870-ADVIPSERVICESK9-M), Version 12.4(11)XW5
- configurato ips come segue

crypto key pubkey-chain rsa
named-key realm-cisco.pub signature
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit


ip ips signature-category
category all
retired true
event-action reset-tcp-connection deny-packet-inline produce-alert
category p2p
event-action reset-tcp-connection deny-packet-inline produce-alert
category viruses/worms/trojans
event-action reset-tcp-connection deny-packet-inline produce-alert
category ios_ips basic
retired false

ip ips name MYIPS

interface FastEthernet4
ip address x.x.x.x x.x.x.x
ip nbar protocol-discovery
ip nat outside
ip ips MYIPS in
ip ips MYIPS out
ip virtual-reassembly
speed 100
full-duplex
end

- INOLTRE da terminal ho questo messaggio
%IPS-4-SIGNATURE: Sig:11018 Subsig:0 Sev:50 [192.168.10.105:3616 -> 213.208.165.210:4662] RiskRating:42

grazie 1000