RE: [suse-security] RE: does anybody know such a log
Can't tell you, but I found some antidote against such stuff in the internet: # DROP HTTP packets related to CodeRed and Nimda # viruses silently iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string "/default.ida?" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+dir" -j DROP iptables -t filter -A INPUT -i $EXT_IFACE -p tcp \ -d $IP --dport http -m string \ --string ".exe?/c+tftp" -j DROP I'm implementing that and lets see how good the stuff works. Philipp
**HI ** **http://www.cert.org/advisories/CA-2001-19.html ** **Code Red :) IIRC ,wasn't there a script someone on the Suse linux E list had , that would stop the thing from filling up your logs ??? Which is , at present all it can do....
-- j
afterthought If this was funny it would be a tagline.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Fri, 11 Oct 2002 mailinglists@belfin.ch wrote:
Can't tell you, but I found some antidote against such stuff in the internet:
[iptables -m string --string "pattern"]
well, the stuff from the patch-o-matic and some of that stuff is not very stable, however you might try. Both SuSE default kernels 2.4.28 and 2.4.19 that came with the two last version offer the module already, so can run tests even with the default kernel. A simple modprobe ipt_string should be enough. I'd believe that this pattern matching will be quite CPU consuming, anyway, why not try it. Wolfgang -- shconnect Internet Service web: http://www.shconnect.de EMail: info@shconnect.de Bundesstrasse 2, 24392 Dollrottfeld, Fed. Rep. Germany phone: +49 4641 644
participants (2)
-
mailinglists@belfin.ch
-
Wolfgang Kueter