From owner-freebsd-security  Wed Sep 19 16:52:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 8401437B422
	for <security@FreeBSD.ORG>; Wed, 19 Sep 2001 16:52:25 -0700 (PDT)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f8JNobV74094;
	Wed, 19 Sep 2001 20:50:37 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Wed, 19 Sep 2001 20:50:36 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: <rshea@opendoor.co.nz>
Cc: <security@FreeBSD.ORG>
Subject: Re: NIMDA Virus
In-Reply-To: <3BA9C911.18530.49BAA5C@localhost>
Message-ID: <20010919204433.A71511-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 20 Sep 2001 rshea@opendoor.co.nz wrote:

>
> I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I
> thought IPFW rules could only be based on IP address or service type ?

This is a quick and dirty perl script I made. It is for IP Filter, but it
shouldn't be difficult to modify it o work with ipfw.

Hope this helps.

				Fer

------------------------------8< ----------------

#!/usr/bin/perl -w

my $logfile="tail -f path_to_your_access_log |";
my $if="xl0";   #change to match your interface
open LOG, $logfile or die "cant open";

while (<LOG>) {
        if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) {

                open FW, "| ipf -f -" or die "cant open pipe";
                print FW "block return-rst in quick on $if proto tcp from $1 to
any";
                close FW;
        }
}

------------------------------8< ----------------




>
> thanks
>
> richard shea.
>
>
>
> *****************************************************
> Open Door Ltd
> PO Box 119-46
> Wellington, NZ
>
> PH +64 4 384 7639
> FX +64 4 384 7672
> *****************************************************
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message