[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] New worm on the road?
If you have a Nortel/BayNetworks screening router between you and the Internet, you can use these filters to drop the virus signatures and save a bunch of CPUs on the FW. I've included both an attachment (codes.flt) as well as a text version at the bottom of the note. Here's what these filters drop (and log): The Drop_MSADC_msadc filter drops these signatures: /MSADC/ /msadc/ tftp%%2 The Drop_cd_winnt_scripts filter drops these signatures: /c/winnt/ /d/winnt/ /scripts/ The Drop_mem_vti_bin filter drops these signatures: /_mem_bin/ /_vti_bin/ /root.exe? To use the router filter template, backup your existing template.flt file and save this file as template.flt. Then apply the filter to the router interface where you need to drop the virus signiture packets. Make sure that you put the filters at the TOP of the filter list. Hope this helps, Tom.... (See attached file: codes.flt) Start of template............. TEMPLATE Drop_MSADC_msadc PROTOCOL IP ACTION DROP DETAILED_LOG END_ACTION FIELD IP_PROTOCOL 6-6 END_FIELD FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:56 0x2f4d534144432f-0x2f4d534144432f 0x2f6d736164632f-0x2f6d736164632f 0x2-0x2 END_FIELD END_PROTOCOL END_TEMPLATE TEMPLATE Drop_cd_winnt_scripts PROTOCOL IP ACTION DROP DETAILED_LOG END_ACTION FIELD IP_PROTOCOL 6-6 END_FIELD FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:72 0x2f632f77696e6e742f-0x2f632f77696e6e742f 0x2f642f77696e6e742f-0x2f642f77696e6e742f 0x2f32f-0x2f32f END_FIELD END_PROTOCOL END_TEMPLATE TEMPLATE Drop_mem_vti_bin PROTOCOL IP ACTION DROP DETAILED_LOG END_ACTION FIELD IP_PROTOCOL 6-6 END_FIELD FIELD USER_DEFINED REF:HEADER_END OFFSET:192 BITWIDTH:80 0x2f5f6d656d5f62696e2f-0x2f5f6d656d5f62696e2f 0x2f5f7674695f62696e2f-0x2f5f7674695f62696e2f 0x2f726f6f742e6578653f-0x2f726f6f742e6578653f END_FIELD END_PROTOCOL END_TEMPLATE End of template......... "Joe Pampel" <[email protected]> Sent by: To: <[email protected]>, [email protected] <[email protected]> kpoint.com cc: bcc: Subject: Re: [FW1] New worm on the road? 09/20/01 01:44 PM That's the NIMBA worm.. I've been trying various resource filters but no luck yet. Had well over 3 million log entries so far *today*.. an avg month for us is ~30,000. (I'm stopping it with a more blunt filter for now..) If I get a good rule working I'll post it up, and hope others will do the same. Regards from NYC, Joe >>> "Patrick Coomans" <[email protected]> 09/18/01 05:35PM >>> Since this evening I am experiencing massive attacks on HTTP (IIS oriented I presume) from many different IP addresses. They all look like: GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /MSADC/root.exe?/c+dir HTTP/1.0 GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0 Is anyone aware that this is some new kind of worm? Now my FW1 question: can I create a HTTP resource (secure server) that blocks all requests that e.g. have a .EXE in it ? Or would that slow my FW1's down to much? Any other suggestions for good products that can do HTTP content inspection and that cooperate or can co-exist with fw1 ? Thanks, Patrick ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================ Attachment:
codes.flt
|