stopping worms at the pix

stevel · ‎04-08-2003

Being fairly new to networking and especially managing a pix firewall i have a question concerning a syslog message. we are running a pix 506e ver 6.1 and i have seen this message on a daily basis:

%PIX-5-304001: 12.80.4.8 Accessed URL 12.29.188.41:/MSADC/root.exe?/c dir

it is my understanding that this could be a worm trying to hit an IIS web server. we dont' use IIS but should this concern me and can i block this from even coming through the pix. the only access from the outside is on port 80.

thanks

Steve

cmiller · ‎04-08-2003

That's a worm that exploits a hole in IIS. Just don't use IIS whatever you do, but you could probably block that in the pix. Not 100% sure how, but I'd love to know if anyone else does.

mostiguy · ‎04-08-2003

The PIX doesn't have any HTTP protocol level support for something to prevent such worms. fixup protocol http is necessary for url filtering, IIRC.

There are supposed to be some tricks one can do with NBAR on certain routers to do such application level filtering, but nothing on the PIX.

Matt

gfullage · ‎04-08-2003

Correct, there's nothing the PIX can do with this, if you're allowing port 80 thru it then those packets are going to get through every time.

If you have a Cisco router outside (or inside) the PIX, you can use NBAR to drop these, this is how we got around teh Code Red worm a while back.

See http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml for more details on how to configure this.