Using NBAR to block Nimda

Matt_Martini · September 19, 2001, 10:40pm

-----BEGIN PGP SIGNED MESSAGE-----

Does anyone have a comprehensive filter to stop Nimda using Cisco's NBAR?

Matt

__________________________ http://www.invision.net/ _______________________

Matthew E. Martini, PE InVision.com, Inc. (631) 543-1000 x104
Chief Technology Officer matt@invision.net (631) 864-8896 Fax
_______________________________________________________________________pgp_

Alex_Yeung · September 19, 2001, 11:06pm

Matt,

Look at the following two URLs and then combine the config:

http://www.cisco.com/warp/customer/63/nimda.shtml

http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml

Alex Yeung

1112 · September 19, 2001, 11:16pm

cco login required, thanks anyway

rpaditya · September 19, 2001, 11:20pm

replace "customer" with "public"

Adi

Andrew_Metcalf · September 19, 2001, 11:21pm

Replacing the word "customer" with "public" usually fixes that...

Rabbi_Rob_Thomas · September 19, 2001, 11:23pm

] > http://www.cisco.com/warp/customer/63/nimda.shtml
] > http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml
]
] cco login required, thanks anyway

Try the non-CCO versions here:

http://www.cisco.com/warp/public/63/nimda.shtml
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

Strata_Rose_Chalup · September 20, 2001, 12:05am

I've been collecting the blocking info from today and yesterday's
nanog onto a page:

http://kgate.virtual.net/cgi-bin/wiki.cgi?action=Browse&id=NIMDAWormBlocking

So far:
     snort
     Squid
     ipfw ruby script
     procmail rulesets
     F5 Big IP
     Nortel/Alteon topology trap
     Cisco NBAR
     Cisco CSS11K, Cisco Content Engine
     apache (updated w/mod_throttle info)
     iptable deny

SRC

Matt Martini wrote:

Randall_S_Benn1 · September 20, 2001, 2:25am

The basics of using NBAR as an IDS can be found here:
http://iponeverything.net/CodeRed.html

The page above is specifically for Code Red, but the same technique can be
used for blocking many different exploits. Just modify the class map as you
like to block Nimda or anything else.

Randy

Daniel_Senie2 · September 20, 2001, 3:29am

I'm presently running using the policy map config example, and having some real problems. While the traffic is no longer getting to the servers, the servers wind up with massive quantities of open TCP sessions. These take long enough to die that Apache winds up maxing out on processes. Two possible alternative approaches that I'd like to explore:

1. Some mechanism that builds on the present stuff, but sends a TCP RST off to the web server to get the TCP session terminated.

2. Alternative approach: use the timed access lists to place a temporary filter rule into the input filter for any IP address which matches on URL. This would protect the servers better, in that it'd block the TCP connections (after the first one) from a server entirely. This wasn't an issue really for CodeRed, but is a major issue for nimda, since it opens many connections.

If anyone has insight on how to implement either of these, I'd like to hear about it.