nanog mailing list archives
Re: Router / Protocol Problem
From: Sam Stickland <sam_mailinglists () spacething org>
Date: Thu, 07 Sep 2006 16:01:45 +0100
Hi John, John Kristoff wrote:
On Thu, 7 Sep 2006 07:27:16 -0400 "Mike Walter" <mwalter () 3z net> wrote:Sep 7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 69.50.222.8(25) -> 69.4.74.14(2421), 4 packets[...] I'm not very familiar with NBAR or how to use it for CodeRed, but this first rule:access-list 166 deny ip any any dscp 1 logSeems dubious. So I'm not not sure what sets the codepoint to 000001 by default, but apparently CodeRed does? Nevertheless, this seems like a very weak basis for determining whether something is malicious.
It's his NBAR config lower down that sets the dscp value: class-map match-any http-hacks match protocol http url "*default.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*" policy-map mark-inbound-http-hacks class http-hacks set ip dscp 1So, there's probably two things that could happen here: One, NBAR is incorrectly identifying the SMTP traffic as code red, or two, the SMTP traffic is already marked with dscp 1. If you've using these values internally in your own network then they should be reset on all externally received traffic.
Sam
Current thread:
- RE: Router / Protocol Problem, (continued)
- RE: Router / Protocol Problem Mike Walter (Sep 06)
- RE: Router / Protocol Problem Mike Walter (Sep 06)
- RE: Router / Protocol Problem Justin M. Streiner (Sep 06)
- RE: Router / Protocol Problem Hank Nussbacher (Sep 06)
- RE: Router / Protocol Problem Mike Walter (Sep 06)
- Re: Router / Protocol Problem Rodney Dunn (Sep 06)
- Re: Router / Protocol Problem Christopher L. Morrow (Sep 06)
- Re: Router / Protocol Problem Rodney Dunn (Sep 06)
- Re: Router / Protocol Problem Rodney Dunn (Sep 06)
- RE: Router / Protocol Problem Mike Walter (Sep 07)
- Re: Router / Protocol Problem John Kristoff (Sep 07)
- Re: Router / Protocol Problem Sam Stickland (Sep 07)
- Re: Router / Protocol Problem Travis Hassloch (Sep 07)
- Re: Router / Protocol Problem John Kristoff (Sep 07)
- RE: Router / Protocol Problem Michael . Dillon (Sep 07)
- Re: Router / Protocol Problem Robert E . Seastrom (Sep 07)
- Re: Router / Protocol Problem Laurence F. Sheldon, Jr. (Sep 07)