Security Incidents mailing list archives

RE: Code Red -- AGAIN?!?

From: "Reeves, Michael (GEAE, Compaq)" <michael.reeves () ae ge com>
Date: Mon, 3 Dec 2001 09:51:38 -0500

HC,

        Here is the link to cisco's website on how to accomplish this. Also
here are my stats for about 4 days. I have had this implemented for almost a
week now with no problems. I only have this on one of my external routers to
see if there are any performance problems but everything has been cool and
the gang. I should be implementing on router #2 this week. Hope this helps!

Mike



http://www.cisco.com/warp/public/63/nimda.shtml



 FastEthernet1/0

  Service-policy input: drop-inbound-http-hacks

    Class-map: http-hacks (match-any)
      35725 packets, 2203431 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http url "*.ida*"
        59 packets, 29294 bytes
        5 minute rate 0 bps
      Match: protocol http url "*cmd.exe*"
        30464 packets, 1856152 bytes
        5 minute rate 0 bps
      Match: protocol http url "*root.exe*"
        5202 packets, 317985 bytes
        5 minute rate 0 bps
      Match: protocol http url "*readme.eml*"
        0 packets, 0 bytes
        5 minute rate 0 bps
      


-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Friday, November 30, 2001 4:09 PM
To: Reeves, Michael (GEAE, Compaq); 'incidents () securityfocus com'
Subject: RE: Code Red -- AGAIN?!?


Mike,

I have seen a steady stream of CR, CRII, and nimda
since thier inception.
Some days worse than others but I filter it out at
the routers. Over 40,000
instances in the last week :)


Are you saying that your *router* does stateful
inspection?  Or when you say "filter it out at the
routers", are you saying that you are blocking port 80
requests all together b/c you don't have a web server
running?  If so, how do you know that the traffic is
CR/CRII/Nimda, if you can't see the URL being
requested?



__________________________________________________
Do You Yahoo!?
Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: Code Red -- AGAIN?!? Eric Hall (Dec 01)
- <Possible follow-ups>
- RE: Code Red -- AGAIN?!? Reeves, Michael (GEAE, Compaq) (Dec 03)