Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
409
Views
0
Helpful
3
Replies

need help about code red

mingchieh
Level 1
Level 1

‎03-31-2003 12:17 AM - edited ‎03-09-2019 02:41 AM

pix syslog message

2003-03-31 15:30:21 Local4.Notice 192.168.253.253 %PIX-5-304001: 61.1.180.220 Accessed URL (my web site ip address ):/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I have follow the document on cisco web site

"Cisco − Using Network−Based Application Recognition and ACLs for Blocking the "Code Red" Worm "

and I have key the command on my 3660 router

but my pix firewall still receive this syslog message on above

DO I need to key other command ??

==========================================

my route map is

Router#show route-map

route-map null_policy_route, permit, sequence 10

Match clauses:

ip address (access-lists): 106

Set clauses:

interface Null0

Policy routing matches: 116 packets, 23968 bytes

=====================

my class-map is

class-map match-any coderedhttp-hacks

match protocol http url "*default.ida*"

match protocol http url "*x.ida*"

match protocol http url "*.ida*"

match protocol http url "*cmd.exe*"

match protocol http url "*root.exe*"

match protocol http url "default.ida"

!

!

policy-map mark-inbound-http-hacks

class coderedhttp-hacks

set ip dscp 1

access-list 106 permit ip any any dscp 1

==================================

I feel sometimes the router match and drops packets,

but sometimes do not

why??

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎03-31-2003 08:02 PM

Your ACL is this:

> access-list 106 permit ip any any dscp 1

You've configured the router to set the DSCP bit in any HTTP packet that has "default.ida" in it, but then you go on and say "permit all those packets". Your ACL should be:

> access-list 106 deny ip any any dscp 1

> access-list 106 permit ip any any

Make sure you've applied the service-policy to the inbound interface, and that the ACL 106 is applied outbound on your inside interface.

Check out http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml

0 Helpful

robert.mcclain
Level 1
Level 1
In response to gfullage

‎04-04-2003 05:40 AM

I also have a problem with Code Red causing congestion problems in my DMZ. My servers are protected, but I'd like to cut it off at the router. I have a 3640 router

with 4 t-1's to 2 different Internet providers. From everything I have read concerning this policy map etc, is that you need CEF enabled on the router for this to work. Is that correct? Do all the Interfaces need CEF on them or can one be fast-switched?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to robert.mcclain

‎04-07-2003 09:48 PM

Yes, for NBAR to work you need CEF enabled. CEF is enabled globally, so if an interface is configured for fast switching, then it'll be doing CEF. Only if you have the "no ip route-cache" command is the interface process switched.

0 Helpful
Customers Also Viewed These Support Documents