New Features in NBAR2 Protocol Pack 7.0.0
SSL Unique-name Sub-classification
In this protocol pack, a new sub-classification parameter called 'unique-name' is introduced for SSL. The unique-name parameter can be used to match SSL sessions of servers that are not known globally, or are not yet supported by NBAR. The unique-name will match the server name indication (SNI) field in the client request if the SNI field exists, or it will match the common name (CN) field in the first certificate of the server's response.
The feature also supports cases of SSL sessions that use session-id than the SSL sessions that use handshake.
The following example shows how an SSL based service with the server name as 'finance.cisco.com' is matched using unique-name:
class-map match-any cisco-finance
match protocol ssl unique-name finance.cisco.com
Note |
The SSL sub-classification parameters have priority over the built in signatures. Therefore, when a 'unique-name' defined by a user matches a known application such as Facebook, it will not match the built in protocol but will match SSL with the configured sub-classification.
|
Note |
Similar to the other sub-classification features, the classification result (for example, as seen in protocol-discovery), does not change and will remain as SSL. However, the flows matching the class maps (as shown in the leading example) will receive the services such as QoS and Performance monitor configured for them. To view the detailed matching statistics, refer to the policy map counters.
|
Reference: http://tools.ietf.org/html/rfc6101
RTP Dynamic Payload Type Sub-classification
In this protocol pack, the existing sub-classification parameters for 'RTP audio' and 'RTP video' are enhanced to detect RTP flows that use dynamic payload types (PT). Dynamic PTs are PTs in the dynamic range from 96 to 127 as defined in RTP RFC, and are selected online through the signaling protocols such as SIP and RTSP, for each session. In this protocol pack, only RTP sessions initiated using SIP will match by dynamic payload type.
There is no change in usability of the feature.
The following example shows how to detect RTP audio flows that include both static and dynamic PT:
class-map match-any generic-rtp-audio
match protocol rtp audio
Note |
The RTP audio/video sub-classification parameters are generic in nature and will match only on generic RTP traffic. More specific classification such as ms-lync-audio, cisco-jabber-audio, facetime, and cisco-phone will not match as RTP, and therefore will not match the audio/video sub-classification.
|
Reference: http://tools.ietf.org/html/rfc3551
Modbus Function Code Subclassification
In this protocol pack, new sub-classification parameters are introduced for Modbus. The various sub-classification parameters can be used to match different function codes such as READ and WRITE operations of the Modbus protocol.
The parameters available for modbus protocol are as follows:
Parameter Name |
Modbus Function Name |
Modbus Function Code |
read-coils |
Read Coils |
0x01 |
read-discrete-input |
Read Discrete Inputs |
0x02 |
read-holding-registers |
Read Holding Registers |
0x03 |
read-input-register |
Read Input Register |
0x04 |
write-single-coil |
Write Single Coil |
0x05 |
write-single-register |
Write Single Register |
0x06 |
read-exception-status |
Read Exception Status |
0x07 |
write-multiple-coils |
Write Multiple Coils |
0x0F |
write-multiple-registers |
Write Multiple Registers |
0x10 |
read-file-record |
Read File Record |
0x14 |
write-file-record |
Write File Record |
0x15 |
mask-write-register |
Mask Write Register |
0x16 |
read-or-write-registers |
Read/Write Multiple Registers |
0x17 |
read-FIFO-Queue |
Read FIFO Queue |
0x18 |
encapsulated-transport |
Encapsulated transport |
0x2B |
The following example shows how to match a modbus function code:
class-map match-any modbus-read-coils
match protocol modbus read-coils
Reference: http://www.modbus.org/docs/Modbus_Messaging_Implementation_Guide_V1_0b.pdf