03-21-2003 08:03 AM - edited 02-20-2020 09:20 PM
I have impleneted NBAR and access-list on my router to block Code Red worm from hitting the servers. The servers are patched, but my understanding is by implementing the NBAR and access-list, I could prevent Code red traffic from hitting the servers.
I am still seeing Code Red traffic behind the router. When I analyzed the Code Red traffic from the IDS, I saw Get command and the /default.ida NNNNNNNNNNNNNNNN command are in two separate packets. Does the NBAR solution work if the exploit is broken down in more than one packet???
Because all the Code Red traffic I see behind the router are in two separate packets.
Can someone please confirm this ..
Thanks in advance.
03-26-2003 11:44 PM
If the code red traffic is flowing thru the router then NBAR should stop it. Please make sure that its not originating from one of the IIS servers in your internal network.
03-27-2003 07:40 AM
I don't think the router reassembles packets for NBAR inspection. Can you paste you match commands that you're using?
03-27-2003 09:07 AM
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: