Hi,
Did anyone tried filtering Nimda Virus on the content switch.I have
configured it but do not see that it is filtering the virus, the show
summary is not showing the counter incrementing even though the IDS
reports Nimda.
Here is what I configured,Created a HTTP header group and rule which will
look at the http header request for the strings .ida , cmd.exe, default.ida
and x.ida and if found should direct this to the Dummy service which points
to a nonexisting server.
Any inputs regarding this be helpful
!********************* HEADER FIELD GROUP *********************
header-field-group .ida
header-field .ida request-line contain ".ida"
header-field-group cmd.exe
header-field cmd.exe request-line contain "cmd.exe"
header-field-group default.ida
header-field default.ida request-line contain "default.ida"
header-field-group root.exe
header-field root.exe request-line contain "root.exe"
header-field-group x.ida
header-field x.ida request-line contain "x.ida"
!*************************** OWNER ***************************
content block_.ida
url "/*"
protocol tcp
port 80
header-field-rule .ida weight 0
add service dummy
active
content block_cmd.exe
url "/*"
protocol tcp
port 80
header-field-rule cmd.exe weight 0
add service dummy
active
content block_default.ida
header-field-rule default.ida weight 0
add service dummy
protocol tcp
port 80
url "/*"
active
content block_root.exe
protocol tcp
port 80
url "/*"
header-field-rule root.exe weight 0
add service dummy
active
content block_x.ida
protocol tcp
port 80
url "/*"
header-field-rule x.ida weight 0
add service dummy
active
!************************** SERVICE **************************
service dummy
ip address 10.10.10.10
keepalive type none
active
Kind Regards /Thangavel
186K
Reading,Brkshire
Direct No -0118 9064259
Mobile No -07796292416
Post code: RG16LH
www.186k.co.uk
----------------------------------------------------------------------
The greatest glory in living lies not in never falling,
but in rising every time we fall ."
-- Nelson Mandela
--------------------------------------------------------------------
**********************************************************************
This e-mail is from 186k Ltd and is intended only for the
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England
& Wales No. 3751494 Registered Office 130 Jermyn Street
London SW1Y 4UR
**********************************************************************
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44843&t=44843
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
