NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Problem blocking CodeRed with http resource



To prevent this create a new URI resource (called for example: NIMDA_URI),
type "wildcard" match, and in the match properties select:
Scheme: HTTP
Method: GET
Host: *
Path: {*cmd.exe,*root.exe,*admin.dll,*readme.exe,*readme.eml,default.ida}

Use this resource in a rule at the top of the rulebase:

src: any
dst: any
svc: http --> NIMDA_URI
act: DROP
log: none

-----Original Message-----
From: Chontzopoulos, Dimitris [mailto:[email protected]]
Sent: Thursday, October 18, 2001 2:53 PM
To: [email protected]
Subject: Re: [FW-1] Problem blocking CodeRed with http resource

This is regarding what i have configured.

Name                                    :       Block-Http-Exploits
Comment                         :       Nimda-Sand-CodeRed
Color                                   :       Dark Red
Connection Methods              :       Transparent, Proxy
Exception Track                 :       Log or Alert (Anything that suites
you)
URI Match Specification Type    :       Wild Cards
Match Scemes                    :       HTTP, FTP, GOPHER, MAILTO, NEWS,
WAIS, OTHER: *
Match Methods                   :       GET, POST, PUT, HEAD, OTHER: *
Match Host                              :       *
Match Path                              :
{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws}
Match Query                             :       *
Action Replacement URI          :
http://http.Exploits.have.been.blocked.LoL
Action CVP                              :       No CVP, None
Policy Editor                   :       (Source) Any, (Destination) Any or
Your Web Server(s), (Service) Http->Block-Http-Exploits, (Action) Drop,
(Track) Long

The above rule is to be installed ON TOP of your Rule Base or above the
FIRST rule regarding Http traffic. DO NOT FORGET TO PUT THE BELOW :
"(Source) Any, (Destination) Any or Your Web Server(s), (Service) Http,
(Action) Drop, (Track) Long"
"(Source) Any, (Destination) Your Web Server(s), (Service) Any, (Action)
Drop, (Track) Long"

E-mail me again to tell me if it works.

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Thursday, October 18, 2001 9:11 PM
To: [email protected]
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


Yes, the original working rule is still in there.
(Not localnet -> ActiveWebServers http accept)


The blockage only occurs on http public net -> DMZ net
It still works fine from private new -> DMZ net

There is NAT running, but I dont see how it would hurt (of course I have
been surprised before).



-----Original Message-----
From: dimitris.chontzopoulos
[mailto:[email protected]]
Sent: Thursday, October 18, 2001 12:57 PM
To: FW-1-MAILINGLIST
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


Have you added a rule under the BlockNimda rule to allow the rest of the
http traffic???

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Thursday, October 18, 2001 5:11 PM
To: [email protected]
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


Ah thank you.

Any idea why it is not working though?

-----Original Message-----
From: Werner.Brockhoven [mailto:[email protected]]
Sent: Thursday, October 18, 2001 5:14 AM
To: FW-1-MAILINGLIST
Subject: Re: [FW-1] Problem blocking CodeRed with http resource


Hi,

You'll also want to add readme.eml

Regards,

Werner

-----Original Message-----
From: [email protected]
[mailto:[email protected]]
Sent: Wednesday, October 17, 2001 9:47 PM
To: [email protected]
Subject: [FW-1] Problem blocking CodeRed with http resource


Hey all

I picked up the way to do this out of an earlier thread and got it to
work wonderfully - I thought.

Once I had it in place (it being the following):

ANY - ANY - NIMBABLOCK - DROP

Where NIMBABLOCK is an Resource URI definition like:

Connection methods:  Transparent, Proxy
Exception track: Log
URI match: Wild Cards
Schemes: http
Methods: GET
Host: *
Path: {*default.ida?*,*cmd.exe?*,*root.exe?*,*dmin.dll,*/x,*readme.exe*}
Query: *

Works great if I test it going out to the DMZ from inside, but coming in
from the Internet to the DMZ it apparently is blocking all web traffic
on this rule.  From the inside to the DMZ it works perfectly

Any help would be appreciated as my web server logs are filling with
this fluff

Bill (FW41-1, SP 2, HPUX)






Bill Chmura
Ensign-Bickford Industries, Inc.
Information Technologies Department

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.