Date: Wed, 19 Sep 2001 20:50:36 -0300 (ART) From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar> To: <rshea@opendoor.co.nz> Cc: <security@FreeBSD.ORG> Subject: Re: NIMDA Virus Message-ID: <20010919204433.A71511-100000@cactus.fi.uba.ar> In-Reply-To: <3BA9C911.18530.49BAA5C@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 20 Sep 2001 rshea@opendoor.co.nz wrote:
>
> I'd like to do this too. I use IPFW. Can anyone point me at a 'how-to' ? I
> thought IPFW rules could only be based on IP address or service type ?
This is a quick and dirty perl script I made. It is for IP Filter, but it
shouldn't be difficult to modify it o work with ipfw.
Hope this helps.
Fer
------------------------------8< ----------------
#!/usr/bin/perl -w
my $logfile="tail -f path_to_your_access_log |";
my $if="xl0"; #change to match your interface
open LOG, $logfile or die "cant open";
while (<LOG>) {
if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) {
open FW, "| ipf -f -" or die "cant open pipe";
print FW "block return-rst in quick on $if proto tcp from $1 to
any";
close FW;
}
}
------------------------------8< ----------------
>
> thanks
>
> richard shea.
>
>
>
> *****************************************************
> Open Door Ltd
> PO Box 119-46
> Wellington, NZ
>
> PH +64 4 384 7639
> FX +64 4 384 7672
> *****************************************************
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010919204433.A71511-100000>