[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Problem blocking CodeRed with http resource
This is regarding what i have configured. Name : Block-Http-Exploits Comment : Nimda-Sand-CodeRed Color : Dark Red Connection Methods : Transparent, Proxy Exception Track : Log or Alert (Anything that suites you) URI Match Specification Type : Wild Cards Match Scemes : HTTP, FTP, GOPHER, MAILTO, NEWS, WAIS, OTHER: * Match Methods : GET, POST, PUT, HEAD, OTHER: * Match Host : * Match Path : {*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws} Match Query : * Action Replacement URI : http://http.Exploits.have.been.blocked.LoL Action CVP : No CVP, None Policy Editor : (Source) Any, (Destination) Any or Your Web Server(s), (Service) Http->Block-Http-Exploits, (Action) Drop, (Track) Long The above rule is to be installed ON TOP of your Rule Base or above the FIRST rule regarding Http traffic. DO NOT FORGET TO PUT THE BELOW : "(Source) Any, (Destination) Any or Your Web Server(s), (Service) Http, (Action) Drop, (Track) Long" "(Source) Any, (Destination) Your Web Server(s), (Service) Any, (Action) Drop, (Track) Long" E-mail me again to tell me if it works. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 18, 2001 9:11 PM To: [email protected] Subject: Re: [FW-1] Problem blocking CodeRed with http resource Yes, the original working rule is still in there. (Not localnet -> ActiveWebServers http accept) The blockage only occurs on http public net -> DMZ net It still works fine from private new -> DMZ net There is NAT running, but I dont see how it would hurt (of course I have been surprised before). -----Original Message----- From: dimitris.chontzopoulos [mailto:[email protected]] Sent: Thursday, October 18, 2001 12:57 PM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource Have you added a rule under the BlockNimda rule to allow the rest of the http traffic??? -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Thursday, October 18, 2001 5:11 PM To: [email protected] Subject: Re: [FW-1] Problem blocking CodeRed with http resource Ah thank you. Any idea why it is not working though? -----Original Message----- From: Werner.Brockhoven [mailto:[email protected]] Sent: Thursday, October 18, 2001 5:14 AM To: FW-1-MAILINGLIST Subject: Re: [FW-1] Problem blocking CodeRed with http resource Hi, You'll also want to add readme.eml Regards, Werner -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, October 17, 2001 9:47 PM To: [email protected] Subject: [FW-1] Problem blocking CodeRed with http resource Hey all I picked up the way to do this out of an earlier thread and got it to work wonderfully - I thought. Once I had it in place (it being the following): ANY - ANY - NIMBABLOCK - DROP Where NIMBABLOCK is an Resource URI definition like: Connection methods: Transparent, Proxy Exception track: Log URI match: Wild Cards Schemes: http Methods: GET Host: * Path: {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*} Query: * Works great if I test it going out to the DMZ from inside, but coming in from the Internet to the DMZ it apparently is blocking all web traffic on this rule. From the inside to the DMZ it works perfectly Any help would be appreciated as my web server logs are filling with this fluff Bill (FW41-1, SP 2, HPUX) Bill Chmura Ensign-Bickford Industries, Inc. Information Technologies Department =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html =============================================== =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|