This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

blocking Code Red Worm?

Hi, I've been using ASL at home for a few weeks.

Today, at work, our IIS server has started crashing due to the Code Red worm attacking it, even though we've already put in all the MS fixes.

I'm think using the reverse (transparent) proxy in ASL might work if these url patterns could be blocked with squid or the ad zapper.

Or, if a packet filter exists that could drop these packets.

Anyone know if this is feasible with ASL?

The requests come in on port 80, and look like this:
2001-07-19 16:19:23 212.54.122.156 W3SVC30 serverip GET /default.ida NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%
u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78
01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00
=a 404 604 4039 19657 - -

Thank you,
Barry

[ 21 July 2001: Message edited by: barrygould ]

This thread was automatically locked due to age.

0 AlexK_01 over 23 years ago

I think to accomplish this some sort of IDS (Intrusion DEtection System) would need to be integrated into ASL.....perhaps this may be a future enhancment?

-Alex K
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 23 years ago in reply to AlexK_01

Well, an IDS alone isn't enough.

However, I just found this snort-based filter that would do the trick... perhaps this could be integrated into ASL as it is open source:

Hogwash

http://hogwash.sourceforge.net/

Barry
Cancel
Vote Up 0 Vote Down

Cancel