Security Incidents mailing list archives

Re: Using NBAR to stop your users from geting Nimda from a web page

From: "Antonio Vasconcelos" <vasco () convex pt>
Date: Sun, 23 Sep 2001 18:50:52 +0100

At 00:21 2001.09.23 -0400, you wrote:

One thing to keep in mind if using the ACL from that page... They suggest
using:

access-list 105 deny ip any any dscp 1 log
access-list 105 permit ip any any

Denying all ip will knock down any packets that have your regex strings in
it. Doing a search on Google for "cmd.exe" will hang as it tries to return
the results of your search :) Also, any email discussion (like this one)
that has "readme.eml" in it will be denied. I changed mine to:

I don't think so, because the regexp is aplied only to the URL not to decontents, and only to http.I wish there is a generic way to match a regexp to any packet, payloads,heders, options, etc.


Router(config)#class-map match-any http-hacks
Router(config-cmap)#match protocol http url "*default.ida*"

It's an "in" list, so, you'll only have problems if you have some kind ofservice where users can submit a request where "default.ida" is part of theurl, like a search form using GET method, it should be ok if the form usesPOST, but I'd have to try that to be sure.

Also, is anyone using this on a 75xx series Cisco with dCEF? I've heard
from a few people that they are only able to filter some of the traffic. I
am not sure if it's from the high packet per second load (It's on an OC3)
or something else. I have it running on my 2610 which doesn't use dCEF. I
only have 3 web servers so I am not seeing a large amount of traffic. Any
comments on this would be appricated. Thanks.


No, I'm using it on a 2610 too, and at low data rates (256 K).

If it's not because I can use it for blocking "readme.eml" I whould dropNBAR now, because I know that my network it's not vulnerable to a CodeRedinfection from the outside (only Apache servers have static nat addresses)and it looks to be much better for my bandwidth just tarpit the requestsusing a tool like LaBrea (www.hackbusters.net).


...take care...

----------
António Vasconcelos - ICQ #109994473 - Senior Network Management Support
CONVEX Portugal, Lda - T: +351-21-422-9200   F: +351-21-421-3787


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 22)
- Re: Using NBAR to stop your users from geting Nimda from a web page Trevor (Sep 23)
  - Re: Using NBAR to stop your users from geting Nimda from a web page Jeff Kell (Sep 24)
- Message not available
  - Re: Using NBAR to stop your users from geting Nimda from a web page Antonio Vasconcelos (Sep 24)