Summary: Blocking nimda probes with a content-layer switch

Summary of suggested comments on defeating nimda probes follows.
Lincoln Dale's comments were cc'd to the list, but I've included
fragments here anyway just to keep them together with the other


Three people suggested using NBAR on cisco routers, along these

One person suggested the following config fragment for F5's Big/IP

rule block_nimda {
        if (http_uri starts_with "/scripts" or http_uri contains "root.exe") {
        else {
                use ( server_pool)

with the proviso that adjustments might be required of those url
patterns are too general for your purposes. Users of Big/IP
versions prior to 4.0 (which don't support "discards" can
route the connections to a dummy pool.

One person was using a Nortel/Alteon switch to redirect all
traffic to a cacheflow client accelerator, then using pattern
matching on the cacheflow box to prevent the traffic reaching
the origin servers.

Lincoln suggested the following for the cisco Content Engine
and Content Services Switch:

Cisco Content Engine:
        rule enable
        rule block url-regex http://.*/cmd\.exe
        rule block url-regex http://.*/root\.exe

Cisco CSS11K (Content Services switch):
        service dummy
          ip address
          keepalive type none
        header-field-group cmd.exe
          header-field cmd.exe request-line contain "cmd.exe"
        header-field-group root.exe
         header-field root.exe request-line contain "root.exe"
        content block_cmd.exe
         protocol tcp
         port 80
         url "/*"
         header-field-rule cmd.exe
         add service dummy
        content block_root.exe
         protocol tcp
         port 80
         url "/*"
         header-field-rule root.exe
         add service dummy

Lincoln also pointed out that the CSS and CE configs above will
prevent the client's TCP SYN from reaching the server (the devices
will accept the TCP sessions and receive the HTTP headers before
deciding whether to pass them on to the servers). NBAR will only
match the HTTP headers on TCP sessions that successfully establish
a TCP session with the server ("delayed binding").