Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Having troubles with NIMDA Traffic

We are having NIMDA Problems liek crazy. We did the class map like instructed to block out the traffic, but it is still getting to our servers. We are running a cisco 2610 router with two Serails and one ethernet. Both serails have a T1 each coming in on them, and the Ethernet sends those T1s out to our ethernet switch. Config in question is below:

The class map we created:

class-map match-any http-hacks

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "*.ida*"

match protocol http url "*readme.eml*"

The Policy map we created:

policy-map drop-hack

class http-hacks

police 1000000 31250 31250 conform-action drop exceed-action drop violate-a

ction drop

This is our Ethernet that goes out to our Switch. Shoudl it have the service policy on it as well? Not clear on this:

interface Ethernet0/0

The first T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:

interface Serial0/0

ip access-group 6 in

service-policy input drop-hack

The second T1 and I have the service policy activated on it. The IP access group is for IPs that we block out from our network:

interface Serial0/1

ip access-group 6 in

service-policy input drop-hack

Thank You

Alvin Slocombe

2 REPLIES
New Member

Re: Having troubles with NIMDA Traffic

New Member

Re: Having troubles with NIMDA Traffic

Is there any way to aggregate NIMDA into one alarm? Getting too many alarm emails. Only idea I had is to reduce severity on 5 of the six alarms I get, but I don't like that.

re:

NIDS operators will not see an alarm that identifies Nimda by name. They will see a series of these alarms as Nimda tries different exploits to compromise the target. These alarms will identify the source address of hosts that have been compromised and should be isolated from the network, cleaned, and patched.

111
Views
0
Helpful
2
Replies