Re: NBAR and Access-list within IOS

gcumarasamy · ‎03-21-2003

I have impleneted NBAR and access-list on my router to block Code Red worm from hitting the servers. The servers are patched, but my understanding is by implementing the NBAR and access-list, I could prevent Code red traffic from hitting the servers.

I am still seeing Code Red traffic behind the router. When I analyzed the Code Red traffic from the IDS, I saw “Get” command and the “/default.ida NNNNNNNNNNNNNNNN” command are in two separate packets. Does the NBAR solution work if the exploit is broken down in more than one packet???

Because all the Code Red traffic I see behind the router are in two separate packets.

Can someone please confirm this ……..

Thanks in advance.

mhoda · ‎03-26-2003

If the code red traffic is flowing thru the router then NBAR should stop it. Please make sure that its not originating from one of the IIS servers in your internal network.

shannong · ‎03-27-2003

I don't think the router reassembles packets for NBAR inspection. Can you paste you match commands that you're using?

gcumarasamy · ‎03-27-2003

class-map match-any http-hacks

match protocol http url "*default.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

Thanks