Security Incidents mailing list archives
RE: Code Red -- AGAIN?!?
From: "Reeves, Michael (GEAE, Compaq)" <michael.reeves () ae ge com>
Date: Mon, 3 Dec 2001 09:51:38 -0500
HC, Here is the link to cisco's website on how to accomplish this. Also here are my stats for about 4 days. I have had this implemented for almost a week now with no problems. I only have this on one of my external routers to see if there are any performance problems but everything has been cool and the gang. I should be implementing on router #2 this week. Hope this helps! Mike http://www.cisco.com/warp/public/63/nimda.shtml FastEthernet1/0 Service-policy input: drop-inbound-http-hacks Class-map: http-hacks (match-any) 35725 packets, 2203431 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol http url "*.ida*" 59 packets, 29294 bytes 5 minute rate 0 bps Match: protocol http url "*cmd.exe*" 30464 packets, 1856152 bytes 5 minute rate 0 bps Match: protocol http url "*root.exe*" 5202 packets, 317985 bytes 5 minute rate 0 bps Match: protocol http url "*readme.eml*" 0 packets, 0 bytes 5 minute rate 0 bps -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Friday, November 30, 2001 4:09 PM To: Reeves, Michael (GEAE, Compaq); 'incidents () securityfocus com' Subject: RE: Code Red -- AGAIN?!? Mike,
I have seen a steady stream of CR, CRII, and nimda since thier inception. Some days worse than others but I filter it out at the routers. Over 40,000 instances in the last week :)
Are you saying that your *router* does stateful inspection? Or when you say "filter it out at the routers", are you saying that you are blocking port 80 requests all together b/c you don't have a web server running? If so, how do you know that the traffic is CR/CRII/Nimda, if you can't see the URL being requested? __________________________________________________ Do You Yahoo!? Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Code Red -- AGAIN?!? Eric Hall (Dec 01)
- <Possible follow-ups>
- RE: Code Red -- AGAIN?!? Reeves, Michael (GEAE, Compaq) (Dec 03)