Date: Thu, 20 Sep 2001 12:30:32 +1000 From: Stanley Hopcroft <Stanley.Hopcroft@IPAustralia.gov.au> To: security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <20010920123031.F5729@IPAustralia.Gov.AU> In-Reply-To: <20010919204433.A71511-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Wed, Sep 19, 2001 at 08:50:36PM -0300 References: <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Ladies and Gentlemen,
Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of
ipfilter rules.
#!/usr/bin/perl -w
use strict ;
my $logfile="tail -f
/usr/local/apache/logs/pericles.aipo.gov.au-access_log |";
my $if="fxp0";
my $ipfw_filename = "/root/ipfw_msiis" ;
my %reset ;
open(LOG, $logfile) or die "can't open $logfile as pipe: $!";
while (<LOG>) {
if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) {
unless ( $reset{$1}++ ) {
open(FW, "> $ipfw_filename") or die "Can't open
$ipfw_filename: $!" ;
print FW "add reset tcp from $1 to any via $if " ;
# print FW "block return-rst in quick on $if proto tcp
from $1 to any";
close FW;
system "/sbin/ipfw $ipfw_filename" and die "ipfw rules
failed: $!" ;
}
}
}
Use at your own risk/peril of course.
Yours sincerely.
--
------------------------------------------------------------------------
Stanley Hopcroft IP Australia
Network Specialist
+61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU
------------------------------------------------------------------------
Parkinson's Fourth Law:
The number of people in any working group tends to increase
regardless of the amount of work to be done.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010920123031.F5729>