Security Incidents mailing list archives
Re: Using NBAR to stop your users from geting Nimda from a web page
From: "Antonio Vasconcelos" <vasco () convex pt>
Date: Sun, 23 Sep 2001 18:50:52 +0100
At 00:21 2001.09.23 -0400, you wrote:
One thing to keep in mind if using the ACL from that page... They suggest using: access-list 105 deny ip any any dscp 1 log access-list 105 permit ip any any Denying all ip will knock down any packets that have your regex strings in it. Doing a search on Google for "cmd.exe" will hang as it tries to return the results of your search :) Also, any email discussion (like this one) that has "readme.eml" in it will be denied. I changed mine to:
I don't think so, because the regexp is aplied only to the URL not to de contents, and only to http. I wish there is a generic way to match a regexp to any packet, payloads, heders, options, etc.
Router(config)#class-map match-any http-hacks Router(config-cmap)#match protocol http url "*default.ida*"It's an "in" list, so, you'll only have problems if you have some kind of service where users can submit a request where "default.ida" is part of the url, like a search form using GET method, it should be ok if the form uses POST, but I'd have to try that to be sure.
Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard from a few people that they are only able to filter some of the traffic. I am not sure if it's from the high packet per second load (It's on an OC3) or something else. I have it running on my 2610 which doesn't use dCEF. I only have 3 web servers so I am not seeing a large amount of traffic. Any comments on this would be appricated. Thanks.
No, I'm using it on a 2610 too, and at low data rates (256 K).If it's not because I can use it for blocking "readme.eml" I whould drop NBAR now, because I know that my network it's not vulnerable to a CodeRed infection from the outside (only Apache servers have static nat addresses) and it looks to be much better for my bandwidth just tarpit the requests using a tool like LaBrea (www.hackbusters.net).
...take care... ---------- António Vasconcelos - ICQ #109994473 - Senior Network Management Support CONVEX Portugal, Lda - T: +351-21-422-9200 F: +351-21-421-3787 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 22)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)
- Re: Using NBAR to stop your users from geting Nimda from a web page Jeff Kell (Sep 24)
- Message not available
- Re: Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 24)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)