From: "Chontzopoulos, Dimitris" <[email protected]>
Reply-To: Mailing list for discussion of Firewall-1
<[email protected]>
To: [email protected]
Subject: Re: [FW-1] Nimda Uri
Date: Mon, 11 Mar 2002 10:19:42 +0200
I have created the following:
"General" Tab
==========
Name : Block-Exploits-Http
Comment : Nimda-Sand-CodeRed
Connection Methods : Transparent, Proxy
Exception Track : Log
URI Match Specification Type : Wild Cards
"Match Tab"
=========
Schemes : http, ftp, gopher, mailto, news,
wais, Other: *
Methods : GET, POST, HEAD, PUT, Other: *
Host : *
Path :
{*default.ida?*,*cmd.exe*,*root.exe*,*admin.dll*,*readme.exe*,*.eml*,*.nws*,
*sample.exe*,*csrss.exe*,*httpodbc.dll*}
Query : *
"Action" Tab
=========
Replacement Unit :
http://no.exploits.allowed.com (This way you send a redirect to the host
trying to exploit you, so the connection he initiated does not time out on
your firewall. You send a redirection that doesn't exist, so the attacker
times out while trying to resolve the non-existent domain)
All others : none, blank
The most important follows:
1. The "Nimda HTTP-Resource" must be placed at the top of your rule
base
2. After the "Nimda HTTP-Resource" you should place all other
"HTTP-Resources" you may want to use in order to block downloads,
Web-Sites,
etc
3. After the other HTTP-Resources you may define you must create a
rule
that will accept all other "Legal" HTTP/FTP browsing etc
Sample Configuration
================
No.1 Any Any http-> Block-Exploits-Http
Drop Long Firewall
No.2 Any DMZ_Web_Servers_Group Http, Https, Ftp
Accept Long Firewall
I am using the exact scenario in the company i am working for and it works
like a charm. If you define a Resource Droping traffice, you should also
create a rule permiting the rest of the traffic. I had the same problem as
you did when i first something similar to yours. Don't forget to put the
non-existent redirection. Please let me know either it works or not. Thanx.
-----Original Message-----
From: Joe Bloggs [mailto:[email protected]]
Sent: Sunday, March 10, 2002 12:23 PM
To: [email protected]
Subject: [FW-1] Nimda Uri
We have a checkpoint firewall 4.1 sp5. Web servers in a DMZ with legal IP's
therefore FW is not doing any NAT. Problem is that if I enable the
recommended rule to block nimda/code red ie create uri and add to resource
with rule any->any>http>nimda_uri, it blockes all access to the web servers
from internally and externally and the log does not show anything. Any help
appreciated.
Our platform: Win2K SP2, FW-1 4.1 SP5
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
