Blocking nimda probes with a content-layer switch
Has anybody tried to block nimda HTTP GET probes using URL pattern matches in a "layer-4-7"[1] switch? The ideal result is to prevent nimda GET probes from ever reaching the destination address, but causing the session to be reset towards the server after the open handshake but before the GET can be sent to the server would be acceptably useful. Particularly whether it's possible on a cisco/Arrowpoint switch, but it would be interesting to know about other vendors too. Please reply directly, will summarise if there are answers to share. Thanks! [1] substitute phrase-du-jour as appropriate
# Detect W32.nimda worm and move to /var/tmp/nimda.DATE.username # w32.nimda.amm # :0 i * ^Content-Type: multipart/related * ^Content-Disposition: Multipart message * ^Subject: .*Software\\Microsoft\\Windo.*$ { :0 { DATE_=`date "+%Y%m%d"` } :0 B * ^Content-Type: audio/x-wav /var/tmp/nimda.$DATE_.$LOGNAME } recycled electrons from sircam... -bryan bradsby NOC: 512-475-2432 Texas State Government Net -- Any technology distinguishable from magic is insufficiently advanced.
At 12:32 AM 19/09/2001 -0400, Joe Abley wrote:
Has anybody tried to block nimda HTTP GET probes using URL pattern matches in a "layer-4-7"[1] switch?
note that this worm uses multiple methods for spreading - email and HTTP. these methods are only addressing the HTTP side of things: NBAR (Network Based Application Recognition) in IOS: existing CodeRed NBAR settings will block the HTTP probes. see http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml Cisco Content Engine: rule enable rule block url-regex http://.*/cmd\.exe rule block url-regex http://.*/root\.exe Cisco CSS11K (Content Services switch): service dummy ip address 10.1.1.1 keepalive type none active ! header-field-group cmd.exe header-field cmd.exe request-line contain "cmd.exe" header-field-group root.exe header-field root.exe request-line contain "root.exe" ! content block_cmd.exe protocol tcp port 80 url "/*" header-field-rule cmd.exe add service dummy active content block_root.exe protocol tcp port 80 url "/*" header-field-rule root.exe add service dummy active
The ideal result is to prevent nimda GET probes from ever reaching the destination address, but causing the session to be reset towards the server after the open handshake but before the GET can be sent to the server would be acceptably useful.
note that only the CSS and the CE in the above will actually prevent the 'tcp syn' from propogating, and they'll establish the tcp 3-way handshake, receive the HTTP headers and then match the request to be an "attack". NBAR will only match the headers on connections that successfully establish a 3-way handshake. (NBAR won't cause the router to spoof the TCP setup - so-called delayed-binding). cheers, lincoln.
If you're using snort for network intrusion monitoring, you can do something like this: alert tcp any any -> any 80 (content: "cmd.exe";msg: "cmd.exe access in HTTP!!";react: block;) alert tcp any any -> any 80 (content: "root.exe";msg: "root.exe access in HTTP!!";react: block;) If the snort box is on the same subnet as your webservers, the webserver will still get the request, but will be sent a RST and won't respond. Not as good as dropping the packets at the front door, but better than your webserver responding. If you have the snort box in the data path, then you can actually drop the packets instead of just sent the RSTs. On Tue, 18 Sep 2001, Lincoln Dale wrote:
At 12:32 AM 19/09/2001 -0400, Joe Abley wrote:
Has anybody tried to block nimda HTTP GET probes using URL pattern matches in a "layer-4-7"[1] switch?
note that this worm uses multiple methods for spreading - email and HTTP. these methods are only addressing the HTTP side of things:
NBAR (Network Based Application Recognition) in IOS: existing CodeRed NBAR settings will block the HTTP probes. see http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml
Cisco Content Engine: rule enable rule block url-regex http://.*/cmd\.exe rule block url-regex http://.*/root\.exe
Cisco CSS11K (Content Services switch): service dummy ip address 10.1.1.1 keepalive type none active ! header-field-group cmd.exe header-field cmd.exe request-line contain "cmd.exe" header-field-group root.exe header-field root.exe request-line contain "root.exe" ! content block_cmd.exe protocol tcp port 80 url "/*" header-field-rule cmd.exe add service dummy active content block_root.exe protocol tcp port 80 url "/*" header-field-rule root.exe add service dummy active
The ideal result is to prevent nimda GET probes from ever reaching the destination address, but causing the session to be reset towards the server after the open handshake but before the GET can be sent to the server would be acceptably useful.
note that only the CSS and the CE in the above will actually prevent the 'tcp syn' from propogating, and they'll establish the tcp 3-way handshake, receive the HTTP headers and then match the request to be an "attack". NBAR will only match the headers on connections that successfully establish a 3-way handshake. (NBAR won't cause the router to spoof the TCP setup - so-called delayed-binding).
cheers,
lincoln.
participants (4)
-
Bryan Bradsby
-
jeff@digitalpipe.net
-
Joe Abley
-
Lincoln Dale