这是应用在一台2600,IOS12.0以上的
class-map match-any iissucks
match protocol http url "*cmd.exe*"
match protocol http url "*.ida*"
match protocol http url "*root.exe*"
match protocol http url "*mem_bin*"
match protocol http url "*vti_bin*"
match protocol http url "*msadc*"
match protocol http url "*winnt*"
!
!
policy-map mark-http-crap
class iissucks
set ip dscp 1
access-list 131 deny ip any any dscp 1 log
access-list 131 permit ip any any
Outside interface:
service-policy input mark-http-crap
Inside interface:
ip access-group 131 out
