NBAR Known Worm Policing

Frame

IP Packet

Frame

IP Packet

First released in May 2001

Exploited a vulnerability in Microsoft IIS and infected 360,000 hosts in 14 hours

TCP Segment

Src Dst Port Port

Src Dst Port Port

Data Payload

First released in May 2001

Exploited a vulnerability in Microsoft IIS and infected 360,000 hosts in 14 hours

Several strains (CodeRed, CodeRedv2, CodeRed II, Code Redv3, CodeRed.C.)

Newer strains replaced home page of web servers and caused DoS flooding attacks

Attempts to access a file with ".ida" extension class-map match-any CODE-RED

match protocol http url "*.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*"

Branch Router class-map match-any CODE-RED

match protocol http url "*.ida*" match protocol http url "*cmd.exe*" match protocol http url "*root.exe*"

Branch Router

Systems, Inc. All rights

With the ip nbar custom command, you can specify your own match criteria to identify TCP-or UDP-based applications across a range of ports, as well as on specific ports, in addition to protocols and applications identified by NBAR or via downloaded Packet Description Language Modules (PDLMs) imported to NBAR. You can specify a string or value to match at a specified byte offset within the packet payload. You can create more than 30 custom PDLMs and give them names with the ip nbar custom command.

Using NBAR User-Defined Application Classification enables you to specify your own criteria to match a string or numeric value inside the data packet in order to identify application traffic.

Was this article helpful?

0 0

Post a comment