Re: Using NBAR to stop your users from geting Nimda from a web page

[Jeff Kell <jeff-kell () utc edu>]

Trevor wrote:
> One thing to keep in mind if using the ACL from that page... They 
> suggest using:
>
> access-list 105 deny ip any any dscp 1 log
> access-list 105 permit ip any any
>
> Denying all ip will knock down any packets that have your regex 
> strings in it. Doing a search on Google for "cmd.exe" will hang as it 
> tries to return the results of your search :) Also, any email 
> discussion (like this one) that has "readme.eml" in it will be denied. 
> I changed mine to:
>
> Extended IP access list 153
>     deny tcp any any eq www dscp 1 log (6012 matches)
>     permit ip any any (228200 matches)
>
> This will only filter incoming www traffic.

A couple of comments on the Cisco recommendations - the filter checks
for several variants of .ida files, immediately followed by a *.ida,
which makes the previous ones superfluous.

And while restricting your deny to 'any any eq www dscp 1' helps some,
there are some legitimate packets that arrive with (the equivalent of)
dscp set to 1.  Would suggest you change the policy filter to add on at
the end:

   class class-default
      set dscp 0 (or whatever value other than 1)

I have had some slightly confusing discrepancies between the packet 
counts of 'sho policy int' versus the access-list 105 hits, even after
the above changes.  The most reliable way to do the filtering is by
using the policing method on the ingress interface(s).  I've placed the
policing version on the edge routers and the "mark and deny" method on
the border router behind them.  Nothing leaked through, but not sure
how many false positives we might have blocked.  NBAR still seems to be
a bit of magic with a touch of evil voodoo :-)  (IOS 12.2(3) by the 
way).

> Also, is anyone using this on a 75xx series Cisco with dCEF? I've 
> heard from a few people that they are only able to filter some of the 
> traffic. 

Not me, I checked figures for the image and it wants 20Mb flash and
128Mb RAM, both of which exceed our old 7505 RSP1s capacity.  Besides,
doesn't it only work on VIP interfaces?

Jeff Kell <jeff-kell () utc edu>
Systems/Network Administrator
University of Tennessee at Chattanooga

PS - While I have a mail in progress, anybody else seeing RFC1918
addressed packets to port 80?  We're getting a ton of them, but they
are blocked by our ingress filter, so I don't have any details on what
sort of requests they are (don't have a sniffer that can sit on the T1s
and don't want to remove the filter just to sniff, though I may have to
if this persists).

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com