[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Nimda Uri
I have created the following: "General" Tab ========== Name : Block-Exploits-Http Comment : Nimda-Sand-CodeRed Connection Methods : Transparent, Proxy Exception Track : Log URI Match Specification Type : Wild Cards "Match Tab" ========= Schemes : http, ftp, gopher, mailto, news, wais, Other: * Methods : GET, POST, HEAD, PUT, Other: * Host : * Path : {*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*, *sample.exe*,*csrss.exe*,*httpodbc.dll*} Query : * "Action" Tab ========= Replacement Unit : http://no.exploits.allowed.com (This way you send a redirect to the host trying to exploit you, so the connection he initiated does not time out on your firewall. You send a redirection that doesn't exist, so the attacker times out while trying to resolve the non-existent domain) All others : none, blank The most important follows: 1. The "Nimda HTTP-Resource" must be placed at the top of your rule base 2. After the "Nimda HTTP-Resource" you should place all other "HTTP-Resources" you may want to use in order to block downloads, Web-Sites, etc 3. After the other HTTP-Resources you may define you must create a rule that will accept all other "Legal" HTTP/FTP browsing etc Sample Configuration ================ No.1 Any Any http-> Block-Exploits-Http Drop Long Firewall No.2 Any DMZ_Web_Servers_Group Http, Https, Ftp Accept Long Firewall I am using the exact scenario in the company i am working for and it works like a charm. If you define a Resource Droping traffice, you should also create a rule permiting the rest of the traffic. I had the same problem as you did when i first something similar to yours. Don't forget to put the non-existent redirection. Please let me know either it works or not. Thanx. -----Original Message----- From: Joe Bloggs [mailto:[email protected]] Sent: Sunday, March 10, 2002 12:23 PM To: [email protected] Subject: [FW-1] Nimda Uri We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal IP's therefore FW is not doing any NAT. Problem is that if I enable the recommended rule to block nimda/code red ie create uri and add to resource with rule any->any>http>nimda_uri, it blockes all access to the web servers from internally and externally and the log does not show anything. Any help appreciated. Our platform: Win2K SP2, FW-1 4.1 SP5 _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|