One thing to keep in mind if using the ACL from that page... They suggest using: access-list 105 deny ip any any dscp 1 log access-list 105 permit ip any any Denying all ip will knock down any packets that have your regex strings in it. Doing a search on Google for "cmd.exe" will hang as it tries to return the results of your search :) Also, any email discussion (like this one) that has "readme.eml" in it will be denied. I changed mine to: Extended IP access list 153 deny tcp any any eq www dscp 1 log (6012 matches) permit ip any any (228200 matches) This will only filter incoming www traffic. Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard from a few people that they are only able to filter some of the traffic. I am not sure if it's from the high packet per second load (It's on an OC3) or something else. I have it running on my 2610 which doesn't use dCEF. I only have 3 web servers so I am not seeing a large amount of traffic. Any comments on this would be appricated. Thanks. Trevor On Sat, 22 Sep 2001, Antonio Vasconcelos wrote: > If you have implemented NBAR in your cisco routers to stop CodeRed, you can > add a line that stops your users getting infected with Nimda when browsing > an infected server using IE. (You can learn about setting up NBAR in > http://iponeverything.net/CodeRed.html ) > > Inside the > class-map match-any {your_map_name} > > just add the line > > match protocol http url "*.eml*" > > I don't know if there is any legit use to receiving .EML files in http, if > there is, use "*readme.eml*" instead. > > I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway, > but I may be because it is scanning the page and finding the javascrip > fragment. I don't really know. However, with that line in place I can't use > wget (from a linux machine) to get the readme.eml file from an infected > server it justs times out, without the line, I got the file all right. > > (by the way, getting readme.eml with wget gives you the exact time when the > server was infected) > > [with] > -------------------------------------------------------------------------------- > ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml > ||| DEBUG output created by Wget 1.6 on linux-gnu. > ||| > ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath > readme.eml -> dir -> file readme.eml -> ndir > ||| newpath: /readme.eml > ||| --04:37:24-- http://AA.BB.CC.DD/readme.eml > ||| => `readme.eml' > ||| Connecting to AA.BB.CC.DD:80... Created fd 3. > ||| connected! > ||| ---request begin--- > ||| GET /readme.eml HTTP/1.0 > ||| User-Agent: Wget/1.6 > ||| Host: AA.BB.CC.DD > ||| Accept: */* > ||| > ||| ---request end--- > ||| HTTP request sent, awaiting response... > ||| Read error (Connection timed out) in headers. > ||| Closing fd 3 > ||| Giving up. > -------------------------------------------------------------------------------- > > [without] > -------------------------------------------------------------------------------- > ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml > ||| DEBUG output created by Wget 1.6 on linux-gnu. > ||| > ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath > readme.eml -> dir -> file readme.eml -> ndir > ||| newpath: /readme.eml > ||| --04:42:42-- http://AA.BB.CC.DD/readme.eml > ||| => `readme.eml' > ||| Connecting to AA.BB.CC.DD:80... Created fd 3. > ||| connected! > ||| ---request begin--- > ||| GET /readme.eml HTTP/1.0 > ||| User-Agent: Wget/1.6 > ||| Host: AA.BB.CC.DD > ||| Accept: */* > ||| > ||| ---request end--- > ||| HTTP request sent, awaiting response... HTTP/1.1 200 OK > ||| Server: Microsoft-IIS/5.0 > ||| Date: Sat, 22 Sep 2001 03:35:56 GMT > ||| Content-Type: message/rfc822 > ||| Accept-Ranges: bytes > ||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT > ||| ETag: "da9d10354940c11:89a" > ||| Content-Length: 79225 > ||| > ||| > ||| Length: 79,225 [message/rfc822] > ||| > ||| 0K -> .......... .......... .......... .......... .......... [ 64%] > ||| 50K -> .......... .......... ....... [100%] > ||| > ||| Closing fd 3 > ||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225] > -------------------------------------------------------------------------------- > > Hope this helps... Good luck. > > ---------- > António Vasconcelos - ICQ #109994473 - Senior Network Management Support > CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:17:10 PDT