We are having NIMDA Problems liek crazy. We did the class map like instructed to block out the traffic, but it is still getting to our servers. We are running a cisco 2610 router with two Serails and one ethernet. Both serails have a T1 each coming in on them, and the Ethernet sends those T1s out to our ethernet switch. Config in question is below:
The class map we created:
class-map match-any http-hacks
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
match protocol http url "*.ida*"
match protocol http url "*readme.eml*"
The Policy map we created:
police 1000000 31250 31250 conform-action drop exceed-action drop violate-a
This is our Ethernet that goes out to our Switch. Shoudl it have the service policy on it as well? Not clear on this:
The first T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:
ip access-group 6 in
service-policy input drop-hack
The second T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:
Is there any way to aggregate NIMDA into one alarm? Getting too many alarm emails. Only idea I had is to reduce severity on 5 of the six alarms I get, but I don't like that.
NIDS operators will not see an alarm that identifies Nimda by name. They will see a series of these alarms as Nimda tries different exploits to compromise the target. These alarms will identify the source address of hosts that have been compromised and should be isolated from the network, cleaned, and patched.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...