You can do it on the router (before it gets to CSS) with NBAR and rate-limiting. I know that works.
wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi, > > Did anyone tried filtering Nimda Virus on the content switch.I have > configured it but do not see that it is filtering the virus, the show > summary is not showing the counter incrementing even though the IDS > reports Nimda. > > Here is what I configured,Created a HTTP header group and rule which will > look at the http header request for the strings .ida , cmd.exe, default.ida > and x.ida and if found should direct this to the Dummy service which points > to a nonexisting server. > > Any inputs regarding this be helpful > > > !********************* HEADER FIELD GROUP ********************* > header-field-group .ida > header-field .ida request-line contain ".ida" > > header-field-group cmd.exe > header-field cmd.exe request-line contain "cmd.exe" > > header-field-group default.ida > header-field default.ida request-line contain "default.ida" > > header-field-group root.exe > header-field root.exe request-line contain "root.exe" > > header-field-group x.ida > header-field x.ida request-line contain "x.ida" > > !*************************** OWNER *************************** > > > content block_.ida > url "/*" > protocol tcp > port 80 > header-field-rule .ida weight 0 > add service dummy > active > > content block_cmd.exe > url "/*" > protocol tcp > port 80 > header-field-rule cmd.exe weight 0 > add service dummy > active > > content block_default.ida > header-field-rule default.ida weight 0 > add service dummy > protocol tcp > port 80 > url "/*" > active > > content block_root.exe > protocol tcp > port 80 > url "/*" > header-field-rule root.exe weight 0 > add service dummy > active > > content block_x.ida > protocol tcp > port 80 > url "/*" > header-field-rule x.ida weight 0 > add service dummy > active > > > !************************** SERVICE ************************** > service dummy > ip address 10.10.10.10 > keepalive type none > active > > > > > > Kind Regards /Thangavel > > 186K > Reading,Brkshire > Direct No -0118 9064259 > Mobile No -07796292416 > Post code: RG16LH > www.186k.co.uk > > ---------------------------------------------------------------------- > The greatest glory in living lies not in never falling, > but in rising every time we fall ." > -- Nelson Mandela > > -------------------------------------------------------------------- > > > > ********************************************************************** > This e-mail is from 186k Ltd and is intended only for the > addressee named above. As this e-mail may contain confidential > or priveleged information, if you are not the named addressee or > the person responsible for delivering the message to the named > addressee, please advise the sender by return e-mail. The > contents should not be disclosed to any other person nor copies > taken. > 186k Ltd is a Lattice Group company, registered in England > & Wales No. 3751494 Registered Office 130 Jermyn Street > London SW1Y 4UR > ********************************************************************** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44847&t=44843 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
