Re: Using NBAR to stop your users from geting Nimda from a web page

From: Antonio Vasconcelos (vascoat_private)
Date: Sun Sep 23 2001 - 10:50:52 PDT

Next message: Lars Gaarden: "Re: IE 5.5 SP2 incident"

Previous message: Alfred Huger: "New book worth taking a look at"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 00:21 2001.09.23 -0400, you wrote:
>One thing to keep in mind if using the ACL from that page... They suggest
>using:
>
>access-list 105 deny ip any any dscp 1 log
>access-list 105 permit ip any any
>
>Denying all ip will knock down any packets that have your regex strings in
>it. Doing a search on Google for "cmd.exe" will hang as it tries to return
>the results of your search :) Also, any email discussion (like this one)
>that has "readme.eml" in it will be denied. I changed mine to:

I don't think so, because the regexp is aplied only to the URL not to de 
contents, and only to http.
I wish there is a generic way to match a regexp to any packet, payloads, 
heders, options, etc.

Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*default.ida*"

It's an "in" list, so, you'll only have problems if you have some kind of 
service where users can submit a request where "default.ida" is part of the 
url, like a search form using GET method, it should be ok if the form uses 
POST, but I'd have to try that to be sure.

>Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard
>from a few people that they are only able to filter some of the traffic. I
>am not sure if it's from the high packet per second load (It's on an OC3)
>or something else. I have it running on my 2610 which doesn't use dCEF. I
>only have 3 web servers so I am not seeing a large amount of traffic. Any
>comments on this would be appricated. Thanks.

No, I'm using it on a 2610 too, and at low data rates (256 K).

If it's not because I can use it for blocking "readme.eml" I whould drop 
NBAR now, because I know that my network it's not vulnerable to a CodeRed 
infection from the outside (only Apache servers have static nat addresses) 
and it looks to be much better for my bandwidth just tarpit the requests 
using a tool like LaBrea (www.hackbusters.net).

...take care...

----------
António Vasconcelos - ICQ #109994473 - Senior Network Management Support
CONVEX Portugal, Lda - T: +351-21-422-9200   F: +351-21-421-3787

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Lars Gaarden: "Re: IE 5.5 SP2 incident"
Previous message: Alfred Huger: "New book worth taking a look at"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 24 2001 - 08:22:02 PDT