From owner-freebsd-security Wed Sep 19 19:31: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from pericles.IPAustralia.gov.au (pericles.IPAustralia.gov.au [202.14.186.30]) by hub.freebsd.org (Postfix) with ESMTP id E215E37B421 for ; Wed, 19 Sep 2001 19:30:55 -0700 (PDT) Received: (from smap@localhost) by pericles.IPAustralia.gov.au (8.11.3/8.11.1) id f8K2Usw44718 for ; Thu, 20 Sep 2001 12:30:54 +1000 (EST) (envelope-from Stanley.Hopcroft@IPAustralia.gov.au) Received: from pc09011.aipo.gov.au(10.0.3.110) by pericles.IPAustralia.gov.au via smap (V2.1) id xma044705; Thu, 20 Sep 01 12:30:32 +1000 Received: (from anwsmh@localhost) by localhost.aipo.gov.au (8.11.3/8.11.1) id f8K2UWt05929 for security@FreeBSD.ORG; Thu, 20 Sep 2001 12:30:32 +1000 (EST) (envelope-from anwsmh) Date: Thu, 20 Sep 2001 12:30:32 +1000 From: Stanley Hopcroft To: security@FreeBSD.ORG Subject: Re: NIMDA Virus Message-ID: <20010920123031.F5729@IPAustralia.Gov.AU> References: <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010919204433.A71511-100000@cactus.fi.uba.ar>; from fgleiser@cactus.fi.uba.ar on Wed, Sep 19, 2001 at 08:50:36PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of ipfilter rules. #!/usr/bin/perl -w use strict ; my $logfile="tail -f /usr/local/apache/logs/pericles.aipo.gov.au-access_log |"; my $if="fxp0"; my $ipfw_filename = "/root/ipfw_msiis" ; my %reset ; open(LOG, $logfile) or die "can't open $logfile as pipe: $!"; while () { if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) { unless ( $reset{$1}++ ) { open(FW, "> $ipfw_filename") or die "Can't open $ipfw_filename: $!" ; print FW "add reset tcp from $1 to any via $if " ; # print FW "block return-rst in quick on $if proto tcp from $1 to any"; close FW; system "/sbin/ipfw $ipfw_filename" and die "ipfw rules failed: $!" ; } } } Use at your own risk/peril of course. Yours sincerely. -- ------------------------------------------------------------------------ Stanley Hopcroft IP Australia Network Specialist +61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU ------------------------------------------------------------------------ Parkinson's Fourth Law: The number of people in any working group tends to increase regardless of the amount of work to be done. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message