At 00:21 2001.09.23 -0400, you wrote: >One thing to keep in mind if using the ACL from that page... They suggest >using: > >access-list 105 deny ip any any dscp 1 log >access-list 105 permit ip any any > >Denying all ip will knock down any packets that have your regex strings in >it. Doing a search on Google for "cmd.exe" will hang as it tries to return >the results of your search :) Also, any email discussion (like this one) >that has "readme.eml" in it will be denied. I changed mine to: I don't think so, because the regexp is aplied only to the URL not to de contents, and only to http. I wish there is a generic way to match a regexp to any packet, payloads, heders, options, etc. Router(config)#class-map match-any http-hacks Router(config-cmap)#match protocol http url "*default.ida*" It's an "in" list, so, you'll only have problems if you have some kind of service where users can submit a request where "default.ida" is part of the url, like a search form using GET method, it should be ok if the form uses POST, but I'd have to try that to be sure. >Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard >from a few people that they are only able to filter some of the traffic. I >am not sure if it's from the high packet per second load (It's on an OC3) >or something else. I have it running on my 2610 which doesn't use dCEF. I >only have 3 web servers so I am not seeing a large amount of traffic. Any >comments on this would be appricated. Thanks. No, I'm using it on a 2610 too, and at low data rates (256 K). If it's not because I can use it for blocking "readme.eml" I whould drop NBAR now, because I know that my network it's not vulnerable to a CodeRed infection from the outside (only Apache servers have static nat addresses) and it looks to be much better for my bandwidth just tarpit the requests using a tool like LaBrea (www.hackbusters.net). ...take care... ---------- António Vasconcelos - ICQ #109994473 - Senior Network Management Support CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:22:02 PDT