Http(80) attack 을 막자 (Warm Virus)

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_tech_note09186a0080110d17.shtml

CEF를 우선 올려야 합니다

Platform -  Minimum Cisco IOS Software Version

7200 - 12.1(5)T
7100 - 12.1(5)T
3660 - 12.1(5)T
3640 - 12.1(5)T
3620 - 12.1(5)T
2600 - 12.1(5)T
1700 - 12.2(5)T

==========     견본      ==========


1. 장비가 NBAR을 지원 하는 장비인지 확인한다
Platform -  Minimum Cisco IOS Software Version
7200 - 12.1(5)T
7100 - 12.1(5)T
3660 - 12.1(5)T
3640 - 12.1(5)T
3620 - 12.1(5)T
2600 - 12.1(5)T
1700 - 12.2(5)T

2. CEF를 설정한다 (NBAR)을 사용하기 위해서..
3. NBAR(Network-based application recogntion) Filter설정

class-map match-any http-hacks
  match protocol http mime "*readme.elm*"
  match protocol http url "*.ida*"
  match protocol http url "*cmd.exe*"
  match protocol http url "*root.exe*"
  match protocol http url "*readme.exe*"
  match protocol http url "*default.ida*"
  match protocol http url "*x.ida*"
  match protocol http url "*.eml*"
  match protocol http url "*rich.dll*"
  match protocol http url "*admin.dll*"
  match protocol http url "*_vti_bin*"
  match protocol http url "*_mem_bin*"

policy-map mark-inbound-http-hacks
  class http-hacks
   set ip dscp 1

4. Interface에 Service-policy를 설정한다

interface Serial0/0
service-policy input mark-inbound-http-hacks


==========     확인방법 (주의 : CPU가 약간 올라감)     ==========


Router#sh policy-map interface Serial 0/0
Serial0/0

  Service-policy input: mark-inbound-http-hacks (1149)

    Class-map: http-hacks (match-any) (1151/2)
      19 packets, 28496 bytes
      5 minute offered rate 0 bps, drop rate 0 bps
      Match: protocol http mime "*readme.elm*" (1155)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.ida*" (1159)
        19 packets, 28496 bytes
        5 minute rate 0 bps
      Match: protocol http url "*cmd.exe*" (1163)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*root.exe*" (1167)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*readme.exe*" (1171)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*default.ida*" (1175)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*x.ida*" (1179)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*.eml*" (1183)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*rich.dll*" (1187)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*admin.dll*" (1191)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*_vti_bin*" (1195)
        0 packets, 0 bytes
        5 minute rate 0 bps
      Match: protocol http url "*_mem_bin*" (1199)
        0 packets, 0 bytes
        5 minute rate 0 bps
      QoS Set
        ip dscp 1
          Packets marked 19

    Class-map: class-default (match-any) (1203/0)
      1264447 packets, 1219808137 bytes
      5 minute offered rate 16668000 bps, drop rate 0 bps
      Match: any  (1207)
Router#
이 게시물을