Mailing List Archive

filter to count http requests
Hi,

I'm trying to count HTTP requests forwarded to my uplink.I've written a
filter given below and applied this to the uplink interface as output
filter. Is this is a safe method to mesure http requests ?

Regards,
Tchoel

firewall filter httpRequests {
term countHttp{
from {
protocol tcp;
port 80;
tcp-initial;
}
then{
count httpRequests;
accept;
}
term others{
then{
accept;
}
}









_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
filter to count http requests [ In reply to ]
If there is just one host connected you you uplink, that filter will help
you counting what you are looking for.

Thanks
german


______________________________________________________________

"Peace cannot be kept by force. It can only be achieved by
understanding." Albert Einstein.

---------------------------------------------------------------

On Mon, 18 Nov 2002, tchoel . wrote:

> Hi,
>
> I'm trying to count HTTP requests forwarded to my uplink.I've written a
> filter given below and applied this to the uplink interface as output
> filter. Is this is a safe method to mesure http requests ?
>
> Regards,
> Tchoel
>
> firewall filter httpRequests {
> term countHttp{
> from {
> protocol tcp;
> port 80;
> tcp-initial;
> }
> then{
> count httpRequests;
> accept;
> }
> term others{
> then{
> accept;
> }
> }
>
>
>
>
>
>
>
>
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
filter to count http requests [ In reply to ]
hi,

no infact, there is a large network connected to the upstream via filtered
interface. I couldn't be able to unserstand why I can not count the network
total request. I'm not an expert on tcp processes. I know that browsers
utilize several (4 ?) tcp sessions to retrieve the requested url. Is that
the reason filter fails for a network? Can you refer to me any source of
information for that ?
Thanks for your time.

Regards,
tchoel





>From: German Martinez <gmartine@mafalda.opentransit.net>
>To: "tchoel ." <tchoel@hotmail.com>
>CC: <juniper-nsp@puck.nether.net>
>Subject: Re: [j-nsp] filter to count http requests
>Date: Mon, 18 Nov 2002 11:24:23 -0500 (EST)
>
>If there is just one host connected you you uplink, that filter will help
>you counting what you are looking for.
>
>Thanks
>german
>
>
>______________________________________________________________
>
>"Peace cannot be kept by force. It can only be achieved by
> understanding." Albert Einstein.
>
>---------------------------------------------------------------
>
>On Mon, 18 Nov 2002, tchoel . wrote:
>
> > Hi,
> >
> > I'm trying to count HTTP requests forwarded to my uplink.I've written a
> > filter given below and applied this to the uplink interface as output
> > filter. Is this is a safe method to mesure http requests ?
> >
> > Regards,
> > Tchoel
> >
> > firewall filter httpRequests {
> > term countHttp{
> > from {
> > protocol tcp;
> > port 80;
> > tcp-initial;
> > }
> > then{
> > count httpRequests;
> > accept;
> > }
> > term others{
> > then{
> > accept;
> > }
> > }
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _________________________________________________________________
> > MSN 8 with e-mail virus protection service: 2 months FREE*
> > http://join.msn.com/?page=features/virus
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp


_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
filter to count http requests [ In reply to ]
I'd say that use destination-address you will be ablet to specify the
host.

For more information go to http://www.juniper.net and look for firewall
filters

Thanks
German


______________________________________________________________

"Peace cannot be kept by force. It can only be achieved by
understanding." Albert Einstein.

---------------------------------------------------------------

On Mon, 18 Nov 2002, tchoel . wrote:

>
> hi,
>
> no infact, there is a large network connected to the upstream via filtered
> interface. I couldn't be able to unserstand why I can not count the network
> total request. I'm not an expert on tcp processes. I know that browsers
> utilize several (4 ?) tcp sessions to retrieve the requested url. Is that
> the reason filter fails for a network? Can you refer to me any source of
> information for that ?
> Thanks for your time.
>
> Regards,
> tchoel
>
>
>
>
>
> >From: German Martinez <gmartine@mafalda.opentransit.net>
> >To: "tchoel ." <tchoel@hotmail.com>
> >CC: <juniper-nsp@puck.nether.net>
> >Subject: Re: [j-nsp] filter to count http requests
> >Date: Mon, 18 Nov 2002 11:24:23 -0500 (EST)
> >
> >If there is just one host connected you you uplink, that filter will help
> >you counting what you are looking for.
> >
> >Thanks
> >german
> >
> >
> >______________________________________________________________
> >
> >"Peace cannot be kept by force. It can only be achieved by
> > understanding." Albert Einstein.
> >
> >---------------------------------------------------------------
> >
> >On Mon, 18 Nov 2002, tchoel . wrote:
> >
> > > Hi,
> > >
> > > I'm trying to count HTTP requests forwarded to my uplink.I've written a
> > > filter given below and applied this to the uplink interface as output
> > > filter. Is this is a safe method to mesure http requests ?
> > >
> > > Regards,
> > > Tchoel
> > >
> > > firewall filter httpRequests {
> > > term countHttp{
> > > from {
> > > protocol tcp;
> > > port 80;
> > > tcp-initial;
> > > }
> > > then{
> > > count httpRequests;
> > > accept;
> > > }
> > > term others{
> > > then{
> > > accept;
> > > }
> > > }
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _________________________________________________________________
> > > MSN 8 with e-mail virus protection service: 2 months FREE*
> > > http://join.msn.com/?page=features/virus
> > >
> > > _______________________________________________
> > > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > > http://puck.nether.net/mailman/listinfo/juniper-nsp
> > >
> >
> >_______________________________________________
> >juniper-nsp mailing list juniper-nsp@puck.nether.net
> >http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _________________________________________________________________
> Protect your PC - get McAfee.com VirusScan Online
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
filter to count http requests [ In reply to ]
Only HTTP/1.0 requests. HTTP/1.1 can be (and usually are) made by several
requests over a single TCP session.
But measuring HTTP sessions (each one being one or more requests from the
same client) is a good starting point to detect "slashdotting" and
denial-of-service.



Rubens


----- Original Message -----
| I'm trying to count HTTP requests forwarded to my uplink.I've written a
| filter given below and applied this to the uplink interface as output
| filter. Is this is a safe method to mesure http requests ?