[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] New worm on the road?
Title: RE: [FW1] New worm on the road?
Yes, you' re right.
*.eml
or,
*readme.eml*
Should also be added in the path of the URI object. Thanx Paul...
Mete
-----Original Message-----
From: Paul Cardon [mailto:[email protected]]
Sent: Saturday, September 22, 2001 2:14 AM
To: METE EMINAGAOGLU (IT)
Cc: '[email protected]';
'[email protected]'
Subject: Re: [FW1] New worm on the road?
> "METE EMINAGAOGLU (IT)" wrote:
>
> Yes, I think everyone related with networking & security should have
> been aware till now somehow. (Since, W32/Nimda is so massive,
> aggressive, and posing many multi-functional different threats...
> Thanks to all the security vulnerabilities of Microsoft products!!!)
>
> Yes, you can create an http-security URI object. (Similar to the one
> used for CodeRed warm...)
>
> However, I should warn you that some people continously argue that
> this solution slows down http service in the FW, or crashes the FW
> completely... ?? (Although I have never faced such problems...)
>
> I'm still using different http and smtp-security server based rules in
> my FW. Even the one I' ve denoted below, no performance bottleneck so
> far...
>
> The solution: (A generic one for W32/Nimda, CodeRed, Sadmind/IIS)
>
> 1. Create A new URI Resource (say, Block_http),
>
> Tick both Connection Methods: "Transparent" & "Proxy"
> In the URI Match Spec. Type, choose "Wild Cards"
>
> Schemes: HTTP
> Method: GET, (you can also tick the other methods, if u'd like...)
> Host: *
> Path:
> {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*}
> Query:*
You forgot *.eml which is important if you don't want vulnerable
browsers to get infected.
-paul
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
