by catching the majority of these packets. The problem with NBAR is that if a line
spans packet fragments, it will often be missed. We still do this to cut down the
amount of CR, Nimda, or similar types of ill behaved URL traffic.
You of course can add more. You do need to make sure you are on a new
enough IOS to do this. I think 12.1.x and above works ok. But check first.
You need a router that supports either the ISP or Entrise IOS to get NBAR
to the best of my recolection.
!
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*x.ida*"
match protocol http url "*.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*readme.eml*"
match protocol http url "*_mem_bin*"
match protocol http url "*/c/*"
match protocol http url "*/d/*"
!
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
! Define a policy map and action to take when matching packets are found.
policy-map drop-inbound-http-hacks
class http-hacks
police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop
!
interface Serial0/0:0
description T1 to the Internet
...........
! Establish a service-policy for what ever interface you want to drop packets from.
service-policy input drop-inbound-http-hacks
...........
At 5/3/2002 10:47 AM, Montervino, Mariano wrote:
You can use the URLScan (isapi application)from Microsoft. You can catch
this kind of attacks and many others...
Mariano Montervino
-----Mensaje original-----
De: Steve Moore [mailto:[EMAIL PROTECTED]]
Enviado el: Mi�rcoles, 01 de Mayo de 2002 01:04 a.m.
Para: [EMAIL PROTECTED]
Asunto: catching cmd.exe
Is there a way to filter all http requests at port 80 that include the
'cmd.exe' directive? I would prefer to simply reject these packets at the
router level. The router in question allows compares of packet data but the
instructions on use are rather cryptic (including masks and hex offsets).
Alternatively, perhaps there is an intrusion detection system that could
catch this? I need an NT solution.
Thanks in advance
Steve Moore
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
For Account Management (unsubscribe, get/change password, etc) Please go to:
http://lists.gnac.net/mailman/listinfo/firewalls
--
Gregg Rosenberg - N9NNO RICIS, Inc.
Chief Technology Officer 708-444-2690 Voice
[EMAIL PROTECTED] 708-444-2697 Fax
http://www.ricis.com - 866-RICIS-77 Toll Free
"Let me not pray to be sheltered from dangers
but to be fearless in facing them."
Rabindranath Tagore (1861-1914); Bengali writer.
Support anti-Spam legislation. Join the fight at www.cauce.org
This email and any attachments that are included in it have been scanned
to ensure they are free of viruses, Trojan horses, worms, hoaxes, and any
other inappropriate content.
