RE: Cisco IOS Network Based Application Recognition

From: Erick B. (erickbe@xxxxxxxxx)
Date: Mon Aug 06 2001 - 18:49:33 GMT-3

• Next message: Clark, Danny - Perot: "RE: Doc DC fix"
• Previous message: Chris H: "RE: CCIE Experience from the depths of below..."
• Maybe in reply to: Harris, Joe F: "Cisco IOS Network Based Application Recognition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Do your server guys have logs they can show you... see
if the IP address is internal or external and maybe
even GET request they did.

--- Chuck Church <cchurch@MAGNACOM.com> wrote:
> Perhaps another server inside your network is
> already infected, and trying
> to infect the one your server people are watching.
>
> Chuck
>
> -----Original Message-----
> From: nobody@groupstudy.com
> [mailto:nobody@groupstudy.com]On Behalf Of
> Harris, Joe F
> Sent: Monday, August 06, 2001 4:15 PM
> To: ccielab@groupstudy.com
> Subject: Cisco IOS Network Based Application
> Recognition
>
>
> I am using Network Based Application Recognition
> (NBAR) on my external
> routers (7206's) to block the Code Red Worm. The
> worm sends an HTTP GET
> request for a "default.ida" file, so on my Internet
> routers are have
> configured this.
>
> class-map match-any hacks
> match protocol http url "default.ida*"
>
> policy-map inbound-red-worm-hacks
> class hacks
> set ip dscp 1
>
> interface Serial3/0 - "Outside Interface"
> description **NBAR APPLYED TO OUTBOUND INTERFACE**
> !output omitted
> rate-limit input access-group 110 32000 8000 8000
> conform-action transmit
> exceed-action drop
> service-policy input inbound-red-worm-hacks
>
> interface FastEthernet1/0 - "Inside Interface"
> description **DROP ALL DSCP PACKETS**
> !output omitted
> no ip redirects
> no ip proxy-arp
> no ip mroute-cache
> ip access-group 121 out
> standby 2 priority 95 preempt
> standby 2 ip xxx.xxx.xxx.xxx
> standby 2 track Se3/0
>
> access-list 121 deny ip any any dscp 1 log
> access-list 121 permit ip any any
>
>
> This works to block the worm for the most part. What
> I mean is, when I go
> through my logs I have noticed that I have matched
> access-list 121 11,283
> times. However the server guys are telling me that
> since implementing this
> 36 HTTP GET requests have actually made it to the
> server. Anybody got any
> clues as to why these 36 requests have gotten
> through, Is something missing
> in my configs (I don't think there is) but I have no
> clue as to why these
> made it through. Here is a link to the feature if
> you have never used it or
> heard of it:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121
> t/121t5/dtnbar.htm
>
>
> Joe Harris, CCIE #6200
> 11 Greenway Plaza, Suite 100
> Houston, TX. 77046
> 713-214-4962 - Office
> 888-657-9357 - Pager

• Next message: Clark, Danny - Perot: "RE: Doc DC fix"
• Previous message: Chris H: "RE: CCIE Experience from the depths of below..."
• Maybe in reply to: Harris, Joe F: "Cisco IOS Network Based Application Recognition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:46 GMT-3