From: Harris, Joe F (Joe_Harris@xxxxxxxxxxxx)
Date: Mon Aug 06 2001 - 17:15:29 GMT-3
I am using Network Based Application Recognition (NBAR) on my external
routers (7206's) to block the Code Red Worm. The worm sends an HTTP GET
request for a "default.ida" file, so on my Internet routers are have
configured this.
class-map match-any hacks
match protocol http url "default.ida*"
policy-map inbound-red-worm-hacks
class hacks
set ip dscp 1
interface Serial3/0 - "Outside Interface"
description **NBAR APPLYED TO OUTBOUND INTERFACE**
!output omitted
rate-limit input access-group 110 32000 8000 8000 conform-action transmit
exceed-action drop
service-policy input inbound-red-worm-hacks
interface FastEthernet1/0 - "Inside Interface"
description **DROP ALL DSCP PACKETS**
!output omitted
no ip redirects
no ip proxy-arp
no ip mroute-cache
ip access-group 121 out
standby 2 priority 95 preempt
standby 2 ip xxx.xxx.xxx.xxx
standby 2 track Se3/0
access-list 121 deny ip any any dscp 1 log
access-list 121 permit ip any any
This works to block the worm for the most part. What I mean is, when I go
through my logs I have noticed that I have matched access-list 121 11,283
times. However the server guys are telling me that since implementing this
36 HTTP GET requests have actually made it to the server. Anybody got any
clues as to why these 36 requests have gotten through, Is something missing
in my configs (I don't think there is) but I have no clue as to why these
made it through. Here is a link to the feature if you have never used it or
heard of it:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121
t/121t5/dtnbar.htm
Joe Harris, CCIE #6200
11 Greenway Plaza, Suite 100
Houston, TX. 77046
713-214-4962 - Office
888-657-9357 - Pager
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:46 GMT-3