[92107] in North American Network Operators' Group
Re: Router / Protocol Problem
daemon@ATHENA.MIT.EDU (Sam Stickland)
Thu Sep 7 11:02:57 2006
Date: Thu, 07 Sep 2006 16:01:45 +0100
From: Sam Stickland <sam_mailinglists@spacething.org>
To: John Kristoff <jtk@ultradns.net>
Cc: nanog@merit.edu
In-Reply-To: <200609071224.k87COb1u025226@atlas.centergate.com>
Errors-To: owner-nanog@merit.edu
Hi John,
John Kristoff wrote:
> On Thu, 7 Sep 2006 07:27:16 -0400
> "Mike Walter" <mwalter@3z.net> wrote:
>
>> Sep 7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp
>> 69.50.222.8(25) -> 69.4.74.14(2421), 4 packets
> [...]
> I'm not very familiar with NBAR or how to use it for CodeRed, but this
> first rule:
>
>> access-list 166 deny ip any any dscp 1 log
>
> Seems dubious. So I'm not not sure what sets the codepoint to 000001
> by default, but apparently CodeRed does? Nevertheless, this seems like
> a very weak basis for determining whether something is malicious.
It's his NBAR config lower down that sets the dscp value:
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1
So, there's probably two things that could happen here: One, NBAR is
incorrectly identifying the SMTP traffic as code red, or two, the SMTP
traffic is already marked with dscp 1. If you've using these values
internally in your own network then they should be reset on all
externally received traffic.
Sam
