From owner-freebsd-security Wed Sep 19 19:37: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 76F4A37B408 for ; Wed, 19 Sep 2001 19:36:59 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA19831; Wed, 19 Sep 2001 20:35:51 -0600 (MDT) Message-Id: <4.3.2.7.2.20010919203412.04b57290@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 19 Sep 2001 20:35:28 -0600 To: Stanley Hopcroft , security@FreeBSD.ORG From: Brett Glass Subject: Re: NIMDA Virus In-Reply-To: <20010920123031.F5729@IPAustralia.Gov.AU> References: <20010919204433.A71511-100000@cactus.fi.uba.ar> <3BA9C911.18530.49BAA5C@localhost> <20010919204433.A71511-100000@cactus.fi.uba.ar> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This will stop working when the logs rotate. Better to pipe to it from syslog.conf, or work from an ErrorDocument CGI. Or use mod_rewrite and put it in as a mapping process. --Brett At 08:30 PM 9/19/2001, Stanley Hopcroft wrote: >Dear Ladies and Gentlemen, > >Here is an attempt at an ipfw equivalent of Mr Gleisers auto adding of >ipfilter rules. > >#!/usr/bin/perl -w > >use strict ; > >my $logfile="tail -f >/usr/local/apache/logs/pericles.aipo.gov.au-access_log |"; >my $if="fxp0"; >my $ipfw_filename = "/root/ipfw_msiis" ; >my %reset ; > > >open(LOG, $logfile) or die "can't open $logfile as pipe: $!"; > > > >while () { > if ($_=~/^([^\s]+).*GET.+winnt.+cmd.exe/) { > > unless ( $reset{$1}++ ) { > open(FW, "> $ipfw_filename") or die "Can't open >$ipfw_filename: $!" ; > > print FW "add reset tcp from $1 to any via $if " ; > # print FW "block return-rst in quick on $if proto tcp >from $1 to any"; > close FW; > > system "/sbin/ipfw $ipfw_filename" and die "ipfw rules >failed: $!" ; > > } > } >} > >Use at your own risk/peril of course. > >Yours sincerely. > >-- >------------------------------------------------------------------------ >Stanley Hopcroft IP Australia >Network Specialist >+61 2 6283 3189 +61 2 6281 1353 (FAX) Stanley.Hopcroft@IPAustralia.Gov.AU >------------------------------------------------------------------------ >Parkinson's Fourth Law: > The number of people in any working group tends to increase >regardless of the amount of work to be done. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message