Blocking Code Red 1 and 2 info

Greetings all,
After looking at http://www.grc.com  discussion page  [:O]cle.
http://www.securitynewsportal.com/article.php?sid=1392

It outlines the footprints of both versions of the worm.  It also gives information about how to block it on a Cisco router.

I am sure there are more than a few others out there that need help with this like I do.

If anyone has information about how to impliment this into ASL, please let me know.

Thanks,

Ryan Bloch
Fourth Dimension Networks Inc.

[ 08 August 2001: Message edited by: ryan bloch ]

Parents

0 Darryl Smith over 23 years ago

G'Day

The first solution is to make sure that all OUTGOING connections are forced to use the PROXY. This will help. Then write a SQUID rule to search for the default.ida and not let that through

DO NOT follow some rules and just block NNNNNNN, since there is a variant with XXXXXX. Also a future variant WILL have random in this area.

By filtering outgoing you will fix a lot of problems in case a machine inside gets infected... This unfortnately is like standing up in a gun fight saying shoot me so that your friends can get away...

So you need to filter incoming traffic to our WWW servers. This might be a bit harder, but it is possible to configure SQUID to handle this.

Read the security portal article and place the rules in the squid config file.

Good Luck

Darryl
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Darryl Smith over 23 years ago

G'Day

The first solution is to make sure that all OUTGOING connections are forced to use the PROXY. This will help. Then write a SQUID rule to search for the default.ida and not let that through

DO NOT follow some rules and just block NNNNNNN, since there is a variant with XXXXXX. Also a future variant WILL have random in this area.

By filtering outgoing you will fix a lot of problems in case a machine inside gets infected... This unfortnately is like standing up in a gun fight saying shoot me so that your friends can get away...

So you need to filter incoming traffic to our WWW servers. This might be a bit harder, but it is possible to configure SQUID to handle this.

Read the security portal article and place the rules in the squid config file.

Good Luck

Darryl
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 BarryG over 23 years ago in reply to Darryl Smith

You may want to look at
HogWash
It's a modified Snort that can filter and drop packets on any service.
It will probably work with ASL, I'm going to try it.

Also, if you get Squid working as a reverse-proxy and dropping Code-Red, please post the config.

Barry
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel