Using NBAR to stop your users from geting Nimda from a web page

["Antonio Vasconcelos" <vasco () convex pt>]

If you have implemented NBAR in your cisco routers to stop CodeRed, you can 
add a line that stops your users getting infected with Nimda when browsing 
an infected server using IE. (You can learn about setting up NBAR in 
http://iponeverything.net/CodeRed.html )

Inside the
        class-map match-any {your_map_name}

just add the line

        match protocol http url "*.eml*"

I don't know if there is any legit use to receiving .EML files in http, if 
there is, use "*readme.eml*" instead.

I'm not 100% sure if this works, my anti-virus (F-Secure) fires up anyway, 
but I may be because it is scanning the page and finding the javascrip 
fragment. I don't really know. However, with that line in place I can't use 
wget (from a linux machine) to get the readme.eml file from an infected 
server it justs times out, without the line, I got the file all right.

(by the way, getting readme.eml with wget gives you the exact time when the 
server was infected)

[with]
--------------------------------------------------------------------------------
||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml
||| DEBUG output created by Wget 1.6 on linux-gnu.
|||
||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath 
readme.eml -> dir  -> file readme.eml -> ndir
||| newpath: /readme.eml
||| --04:37:24--  http://AA.BB.CC.DD/readme.eml
|||            => `readme.eml'
||| Connecting to AA.BB.CC.DD:80... Created fd 3.
||| connected!
||| ---request begin---
||| GET /readme.eml HTTP/1.0
||| User-Agent: Wget/1.6
||| Host: AA.BB.CC.DD
||| Accept: */*
|||
||| ---request end---
||| HTTP request sent, awaiting response...
||| Read error (Connection timed out) in headers.
||| Closing fd 3
||| Giving up.
--------------------------------------------------------------------------------

[without]
--------------------------------------------------------------------------------
||| lula:~ # wget -T 30 -t 1 -d AA.BB.CC.DD/readme.eml
||| DEBUG output created by Wget 1.6 on linux-gnu.
|||
||| parseurl ("AA.BB.CC.DD/readme.eml") -> host AA.BB.CC.DD -> opath 
readme.eml -> dir  -> file readme.eml -> ndir
||| newpath: /readme.eml
||| --04:42:42--  http://AA.BB.CC.DD/readme.eml
|||            => `readme.eml'
||| Connecting to AA.BB.CC.DD:80... Created fd 3.
||| connected!
||| ---request begin---
||| GET /readme.eml HTTP/1.0
||| User-Agent: Wget/1.6
||| Host: AA.BB.CC.DD
||| Accept: */*
|||
||| ---request end---
||| HTTP request sent, awaiting response... HTTP/1.1 200 OK
||| Server: Microsoft-IIS/5.0
||| Date: Sat, 22 Sep 2001 03:35:56 GMT
||| Content-Type: message/rfc822
||| Accept-Ranges: bytes
||| Last-Modified: Tue, 18 Sep 2001 13:52:51 GMT
||| ETag: "da9d10354940c11:89a"
||| Content-Length: 79225
|||
|||
||| Length: 79,225 [message/rfc822]
|||
|||     0K -> .......... .......... .......... .......... .......... [ 64%]
|||    50K -> .......... .......... .......                          [100%]
|||
||| Closing fd 3
||| 04:42:48 (14.22 KB/s) - `readme.eml' saved [79225/79225]
--------------------------------------------------------------------------------

Hope this helps... Good luck.

----------
António Vasconcelos - ICQ #109994473 - Senior Network Management Support
CONVEX Portugal, Lda - T: +351-21-422-9200   F: +351-21-421-3787


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com