Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

stopping worms at the pix

Being fairly new to networking and especially managing a pix firewall i have a question concerning a syslog message. we are running a pix 506e ver 6.1 and i have seen this message on a daily basis:

%PIX-5-304001: 12.80.4.8 Accessed URL 12.29.188.41:/MSADC/root.exe?/c dir

it is my understanding that this could be a worm trying to hit an IIS web server. we dont' use IIS but should this concern me and can i block this from even coming through the pix. the only access from the outside is on port 80.

thanks

Steve

3 REPLIES
New Member

Re: stopping worms at the pix

That's a worm that exploits a hole in IIS. Just don't use IIS whatever you do, but you could probably block that in the pix. Not 100% sure how, but I'd love to know if anyone else does.

Silver

Re: stopping worms at the pix

The PIX doesn't have any HTTP protocol level support for something to prevent such worms. fixup protocol http is necessary for url filtering, IIRC.

There are supposed to be some tricks one can do with NBAR on certain routers to do such application level filtering, but nothing on the PIX.

Matt

Cisco Employee

Re: stopping worms at the pix

Correct, there's nothing the PIX can do with this, if you're allowing port 80 thru it then those packets are going to get through every time.

If you have a Cisco router outside (or inside) the PIX, you can use NBAR to drop these, this is how we got around teh Code Red worm a while back.

See http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml for more details on how to configure this.

105
Views
0
Helpful
3
Replies