Security Incidents mailing list archives
Re: Using NBAR to stop your users from geting Nimda from a web page
From: Trevor <trevor () packetwerks org>
Date: Sun, 23 Sep 2001 00:21:46 -0400 (EDT)
One thing to keep in mind if using the ACL from that page... They suggest
using:
access-list 105 deny ip any any dscp 1 log
access-list 105 permit ip any any
Denying all ip will knock down any packets that have your regex strings in
it. Doing a search on Google for "cmd.exe" will hang as it tries to return
the results of your search :) Also, any email discussion (like this one)
that has "readme.eml" in it will be denied. I changed mine to:
Extended IP access list 153
deny tcp any any eq www dscp 1 log (6012 matches)
permit ip any any (228200 matches)
This will only filter incoming www traffic.
Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard
from a few people that they are only able to filter some of the traffic. I
am not sure if it's from the high packet per second load (It's on an OC3)
or something else. I have it running on my 2610 which doesn't use dCEF. I
only have 3 web servers so I am not seeing a large amount of traffic. Any
comments on this would be appricated. Thanks.
Trevor
On Sat, 22 Sep 2001, Antonio Vasconcelos wrote:
If you have implemented NBAR in your cisco routers to stop CodeRed, you can add a line that stops your users getting infected with Nimda when browsing an infected server using IE. (You can learn about setting up NBAR in http://iponeverything.net/CodeRed.html ) Inside the class-map match-any {your_map_name} just add the line match protocol http url "*.eml*" I don't know if there is any legit use to receiving .EML files in http, if there is, use "*readme.eml*" instead. I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway, but I may be because it is scanning the page and finding the javascrip fragment. I don't really know. However, with that line in place I can't use wget (from a linux machine) to get the readme.eml file from an infected server it justs times out, without the line, I got the file all right. (by the way, getting readme.eml with wget gives you the exact time when the server was infected) [with] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. ||| ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir ||| newpath: /readme.eml ||| --04:37:24-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... ||| Read error (Connection timed out) in headers. ||| Closing fd 3 ||| Giving up. -------------------------------------------------------------------------------- [without] -------------------------------------------------------------------------------- ||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml ||| DEBUG output created by Wget 1.6 on linux-gnu. ||| ||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath readme.eml -> dir -> file readme.eml -> ndir ||| newpath: /readme.eml ||| --04:42:42-- http://AA.BB.CC.DD/readme.eml ||| => `readme.eml' ||| Connecting to AA.BB.CC.DD:80... Created fd 3. ||| connected! ||| ---request begin--- ||| GET /readme.eml HTTP/1.0 ||| User-Agent: Wget/1.6 ||| Host: AA.BB.CC.DD ||| Accept: */* ||| ||| ---request end--- ||| HTTP request sent, awaiting response... HTTP/1.1 200 OK ||| Server: Microsoft-IIS/5.0 ||| Date: Sat, 22 Sep 2001 03:35:56 GMT ||| Content-Type: message/rfc822 ||| Accept-Ranges: bytes ||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT ||| ETag: "da9d10354940c11:89a" ||| Content-Length: 79225 ||| ||| ||| Length: 79,225 [message/rfc822] ||| ||| 0K -> .......... .......... .......... .......... .......... [ 64%] ||| 50K -> .......... .......... ....... [100%] ||| ||| Closing fd 3 ||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225] -------------------------------------------------------------------------------- Hope this helps... Good luck. ---------- Ant?nio Vasconcelos - ICQ #109994473 - Senior Network Management Support CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 22)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)
- Re: Using NBAR to stop your users from geting Nimda from a web page Jeff Kell (Sep 24)
- Message not available
- Re: Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 24)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)