North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Router / Protocol Problem
Hi John, John Kristoff wrote:
It's his NBAR config lower down that sets the dscp value:On Thu, 7 Sep 2006 07:27:16 -0400 "Mike Walter" <[email protected]> wrote:Sep 7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp 220.127.116.11(25) -> 18.104.22.168(2421), 4 packets[...] I'm not very familiar with NBAR or how to use it for CodeRed, but this first rule:access-list 166 deny ip any any dscp 1 logSeems dubious. So I'm not not sure what sets the codepoint to 000001 by default, but apparently CodeRed does? Nevertheless, this seems like a very weak basis for determining whether something is malicious.
class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"
set ip dscp 1
So, there's probably two things that could happen here: One, NBAR is incorrectly identifying the SMTP traffic as code red, or two, the SMTP traffic is already marked with dscp 1. If you've using these values internally in your own network then they should be reset on all externally received traffic.