Site Navigation

Date:      Wed, 19 Sep 2001 20:35:28 -0600
From:      Brett Glass <brett@lariat.org>
To:        Stanley Hopcroft <Stanley.Hopcroft@IPAustralia.gov.au>, security@FreeBSD.ORG
Subject:   Re: NIMDA Virus
Message-ID:  <4.3.2.7.2.20010919203412.04b57290@localhost>
In-Reply-To: <20010920123031.F5729@IPAustralia.Gov.AU>
References:  <20010919204433.A71511-100000@cactus.fi.uba.ar> <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

This will stop working when the logs rotate. Better to pipe to
it from syslog.conf, or work from an ErrorDocument CGI. Or
use mod_rewrite and put it in as a mapping process.

--Brett

At 08:30 PM 9/19/2001, Stanley Hopcroft wrote:
  
>Dear Ladies and Gentlemen,
>
>Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of 
>ipfilter rules.
>
>#!/usr/bin/perl -w
>
>use strict ;
>
>my $logfile="tail -f 
>/usr/local/apache/logs/pericles.aipo.gov.au-access_log |";
>my $if="fxp0";  
>my $ipfw_filename = "/root/ipfw_msiis" ;
>my %reset ;
>
> 
>open(LOG, $logfile) or die "can't open $logfile as pipe: $!";
>
>
>
>while (<LOG>) {
>        if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) {
>
>                unless ( $reset{$1}++ ) {
>                  open(FW, "> $ipfw_filename") or die "Can't open 
>$ipfw_filename: $!" ;
>
>                  print FW "add reset tcp from $1 to any via $if " ;
>                  # print FW "block return-rst in quick on $if proto tcp 
>from $1 to any";
>                  close FW;
>
>                  system "/sbin/ipfw $ipfw_filename" and die "ipfw rules 
>failed: $!" ;
>
>                }
>        }
>}
>
>Use at your own risk/peril of course.
>
>Yours sincerely.
>
>-- 
>------------------------------------------------------------------------
>Stanley Hopcroft        IP Australia
>Network Specialist
>+61 2 6283 3189 +61 2 6281 1353 (FAX)   Stanley.Hopcroft@IPAustralia.Gov.AU
>------------------------------------------------------------------------
>Parkinson's Fourth Law:
>        The number of people in any working group tends to increase
>regardless of the amount of work to be done.
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.2.7.2.20010919203412.04b57290>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact