Hi Randy, We are currently trying the solution (it's 3.30 am here in PT) you provided and we're happy to say that it works perfectly. The URL that comes with the Code Red is dropped without any questions asked and the log shows a 408 reply (Request Timed Out, according to the HTTP RFC) on the web server log, keeping the content out. You can check out the output from the log below. Before implementing NBAR: 194.x.x.x- - [08/Aug/2001:03:13:31 +0000] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7 801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 889 After implementing NBAR: 194.x.x.x- - [08/Aug/2001:03:34:17 +0000] "-" 408 - So it's ok to go ahead and spread the word ;-) just one thing ... you forgot to mention that IP Cef has to be configured for the policy map to work, like this: Router(config)#ip cef Router(config)#int s0/0 Router(config-if)#ip route-cache cef It's a bit hard on the processor, but we can't make omelets without breaking some eggs :-). Last, but not least, IOS version 12.1(5)T is deferred, so we'd recommend using version 12.1(5)T9 instead. It's tested and working on a 2600 platform. Thanks for the tip and best regards, Antonio Vasconcelos & Nelson Neves At 18:31 2001.08.07 -0400, Randall S. Benn wrote: >A new method for blocking Code Red and similar exploits that use HTTP GET >requests has been published. The method uses new capabilities within >Cisco IOS software. Read the on-line advisory at: > >http://iponeverything.net/CodeRed.html > >The beauty of this solution is that it can be used to block Code Red >infections today and can be easily modified with new signatures in the >future using the HTTP sub-port classification mechanism in IOS. > >Randy > > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 08 2001 - 11:50:15 PDT