One thing to keep in mind if using the ACL from that page... They suggest
using:
access-list 105 deny ip any any dscp 1 log
access-list 105 permit ip any any
Denying all ip will knock down any packets that have your regex strings in
it. Doing a search on Google for "cmd.exe" will hang as it tries to return
the results of your search :) Also, any email discussion (like this one)
that has "readme.eml" in it will be denied. I changed mine to:
Extended IP access list 153
deny tcp any any eq www dscp 1 log (6012 matches)
permit ip any any (228200 matches)
This will only filter incoming www traffic.
Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard
from a few people that they are only able to filter some of the traffic. I
am not sure if it's from the high packet per second load (It's on an OC3)
or something else. I have it running on my 2610 which doesn't use dCEF. I
only have 3 web servers so I am not seeing a large amount of traffic. Any
comments on this would be appricated. Thanks.
Trevor
On Sat, 22 Sep 2001, Antonio Vasconcelos wrote:
> If you have implemented NBAR in your cisco routers to stop CodeRed, you can
> add a line that stops your users getting infected with Nimda when browsing
> an infected server using IE. (You can learn about setting up NBAR in
> http://iponeverything.net/CodeRed.html )
>
> Inside the
> class-map match-any {your_map_name}
>
> just add the line
>
> match protocol http url "*.eml*"
>
> I don't know if there is any legit use to receiving .EML files in http, if
> there is, use "*readme.eml*" instead.
>
> I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway,
> but I may be because it is scanning the page and finding the javascrip
> fragment. I don't really know. However, with that line in place I can't use
> wget (from a linux machine) to get the readme.eml file from an infected
> server it justs times out, without the line, I got the file all right.
>
> (by the way, getting readme.eml with wget gives you the exact time when the
> server was infected)
>
> [with]
> --------------------------------------------------------------------------------
> ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml
> ||| DEBUG output created by Wget 1.6 on linux-gnu.
> |||
> ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath
> readme.eml -> dir -> file readme.eml -> ndir
> ||| newpath: /readme.eml
> ||| --04:37:24-- http://AA.BB.CC.DD/readme.eml
> ||| => `readme.eml'
> ||| Connecting to AA.BB.CC.DD:80... Created fd 3.
> ||| connected!
> ||| ---request begin---
> ||| GET /readme.eml HTTP/1.0
> ||| User-Agent: Wget/1.6
> ||| Host: AA.BB.CC.DD
> ||| Accept: */*
> |||
> ||| ---request end---
> ||| HTTP request sent, awaiting response...
> ||| Read error (Connection timed out) in headers.
> ||| Closing fd 3
> ||| Giving up.
> --------------------------------------------------------------------------------
>
> [without]
> --------------------------------------------------------------------------------
> ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml
> ||| DEBUG output created by Wget 1.6 on linux-gnu.
> |||
> ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath
> readme.eml -> dir -> file readme.eml -> ndir
> ||| newpath: /readme.eml
> ||| --04:42:42-- http://AA.BB.CC.DD/readme.eml
> ||| => `readme.eml'
> ||| Connecting to AA.BB.CC.DD:80... Created fd 3.
> ||| connected!
> ||| ---request begin---
> ||| GET /readme.eml HTTP/1.0
> ||| User-Agent: Wget/1.6
> ||| Host: AA.BB.CC.DD
> ||| Accept: */*
> |||
> ||| ---request end---
> ||| HTTP request sent, awaiting response... HTTP/1.1 200 OK
> ||| Server: Microsoft-IIS/5.0
> ||| Date: Sat, 22 Sep 2001 03:35:56 GMT
> ||| Content-Type: message/rfc822
> ||| Accept-Ranges: bytes
> ||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT
> ||| ETag: "da9d10354940c11:89a"
> ||| Content-Length: 79225
> |||
> |||
> ||| Length: 79,225 [message/rfc822]
> |||
> ||| 0K -> .......... .......... .......... .......... .......... [ 64%]
> ||| 50K -> .......... .......... ....... [100%]
> |||
> ||| Closing fd 3
> ||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225]
> --------------------------------------------------------------------------------
>
> Hope this helps... Good luck.
>
> ----------
> António Vasconcelos - ICQ #109994473 - Senior Network Management Support
> CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 10:17:10 PDT