NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] New worm on the road?



If you have a Nortel/BayNetworks screening router between you and the
Internet, you can use these filters
to drop the virus signatures and save a bunch of CPUs on the FW.  I've
included both an attachment
(codes.flt) as well as a text version at the bottom of the note.

Here's what these filters drop (and log):
The  Drop_MSADC_msadc filter drops these signatures:
/MSADC/
/msadc/
tftp%%2

The Drop_cd_winnt_scripts filter drops these signatures:
/c/winnt/
/d/winnt/
/scripts/

The Drop_mem_vti_bin filter drops these signatures:
/_mem_bin/
/_vti_bin/
/root.exe?

To use the router filter template, backup your existing template.flt file
and save this file as template.flt.
Then apply the filter to the router interface where you need to drop the
virus signiture packets.  Make
sure that you put the filters at the TOP of the filter list.

Hope this helps,
Tom....


(See attached file: codes.flt)

Start of template.............

TEMPLATE Drop_MSADC_msadc

     PROTOCOL IP

          ACTION
               DROP
               DETAILED_LOG
          END_ACTION

          FIELD IP_PROTOCOL
               6-6
          END_FIELD

          FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:56
               0x2f4d534144432f-0x2f4d534144432f
               0x2f6d736164632f-0x2f6d736164632f
               0x2-0x2
          END_FIELD

     END_PROTOCOL

END_TEMPLATE

TEMPLATE Drop_cd_winnt_scripts

     PROTOCOL IP

          ACTION
               DROP
               DETAILED_LOG
          END_ACTION

          FIELD IP_PROTOCOL
               6-6
          END_FIELD

          FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:72
               0x2f632f77696e6e742f-0x2f632f77696e6e742f
               0x2f642f77696e6e742f-0x2f642f77696e6e742f
               0x2f32f-0x2f32f
          END_FIELD

     END_PROTOCOL

END_TEMPLATE

TEMPLATE Drop_mem_vti_bin

     PROTOCOL IP

          ACTION
               DROP
               DETAILED_LOG
          END_ACTION

          FIELD IP_PROTOCOL
               6-6
          END_FIELD

          FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:80
               0x2f5f6d656d5f62696e2f-0x2f5f6d656d5f62696e2f
               0x2f5f7674695f62696e2f-0x2f5f7674695f62696e2f
               0x2f726f6f742e6578653f-0x2f726f6f742e6578653f
          END_FIELD

     END_PROTOCOL

END_TEMPLATE

End of template.........



                                                                                                                     
                    "Joe Pampel" <[email protected]>                                                                   
                    Sent by:                                    To:     <[email protected]>,                   
                    [email protected]        <[email protected]>       
                    kpoint.com                                  cc:                                                  
                                                                bcc:                                                 
                                                                Subject:     Re: [FW1] New worm on the road?         
                    09/20/01 01:44 PM                                                                                
                                                                                                                     
                                                                                                                     





That's the NIMBA worm.. I've been trying various resource filters but no
luck yet. Had well over 3 million log entries so far *today*.. an avg month
for us is ~30,000. (I'm stopping it with a more blunt filter for now..)
If I get a good rule working I'll post it up, and hope others will do the
same.

Regards from NYC,

Joe

>>> "Patrick Coomans" <[email protected]> 09/18/01 05:35PM >>>
Since this evening I am experiencing massive attacks on HTTP (IIS oriented
I presume) from many different IP addresses.

They all look like:

GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /scripts/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /MSADC/root.exe?/c+dir HTTP/1.0
GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir

HTTP/1.0
GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0
GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0


Is anyone aware that this is some new kind of worm?
Now my FW1 question: can I create a HTTP resource (secure server) that
blocks all requests that e.g. have a .EXE in it ?  Or would that slow my
FW1's down to much?

Any other suggestions for good products that can do HTTP content inspection
and that cooperate or can co-exist with fw1 ?


Thanks,
Patrick





================================================================================

     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================




Attachment: codes.flt
Description: Binary data



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.