RE: Code Red -- AGAIN?!?

From: Reeves, Michael (GEAE, Compaq) (michael.reevesat_private)
Date: Mon Dec 03 2001 - 06:51:38 PST

Next message: Aaron Schultz: "Re: Attacks against SSH?"

Previous message: James W. Abendschan: "linux 'zoot' rootkit/DoSkit/etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

HC,

	Here is the link to cisco's website on how to accomplish this. Also
here are my stats for about 4 days. I have had this implemented for almost a
week now with no problems. I only have this on one of my external routers to
see if there are any performance problems but everything has been cool and
the gang. I should be implementing on router #2 this week. Hope this helps!

Mike



http://www.cisco.com/warp/public/63/nimda.shtml



 FastEthernet1/0

  Service-policy input: drop-inbound-http-hacks

    Class-map: http-hacks (match-any)
      35725 packets, 2203431 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.ida*"
        59 packets, 29294 bytes
        5 minute rate 0 bps
      Match: protocol http url "*cmd.exe*"
        30464 packets, 1856152 bytes
        5 minute rate 0 bps
      Match: protocol http url "*root.exe*"
        5202 packets, 317985 bytes
        5 minute rate 0 bps
      Match: protocol http url "*readme.eml*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      


-----Original Message-----
From: H C [mailto:keydet89at_private]
Sent: Friday, November 30, 2001 4:09 PM
To: Reeves, Michael (GEAE, Compaq); 'incidentsat_private'
Subject: RE: Code Red -- AGAIN?!?


Mike,

> I have seen a steady stream of CR, CRII, and nimda
> since thier inception.
> Some days worse than others but I filter it out at
> the routers. Over 40,000
> instances in the last week :)

Are you saying that your *router* does stateful
inspection?  Or when you say "filter it out at the
routers", are you saying that you are blocking port 80
requests all together b/c you don't have a web server
running?  If so, how do you know that the traffic is
CR/CRII/Nimda, if you can't see the URL being
requested?



__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Aaron Schultz: "Re: Attacks against SSH?"
Previous message: James W. Abendschan: "linux 'zoot' rootkit/DoSkit/etc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 12:05:34 PST