Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Router / Protocol Problem

  • From: Sam Stickland
  • Date: Thu Sep 07 11:05:38 2006

Hi John,

John Kristoff wrote:
On Thu, 7 Sep 2006 07:27:16 -0400
"Mike Walter" <mwalter@3z.net> wrote:

Sep  7 06:50:20.697 EST: %SEC-6-IPACCESSLOGP: list 166 denied tcp
69.50.222.8(25) -> 69.4.74.14(2421), 4 packets
[...]
I'm not very familiar with NBAR or how to use it for CodeRed, but this
first rule:

access-list 166 deny   ip any any dscp 1 log
Seems dubious.  So I'm not not sure what sets the codepoint to 000001
by default, but apparently CodeRed does?  Nevertheless, this seems like
a very weak basis for determining whether something is malicious.
It's his NBAR config lower down that sets the dscp value:

class-map match-any http-hacks
match protocol http url "*default.ida*"
match protocol http url "*cmd.exe*"
match protocol http url "*root.exe*"

policy-map mark-inbound-http-hacks
class http-hacks
set ip dscp 1


So, there's probably two things that could happen here: One, NBAR is incorrectly identifying the SMTP traffic as code red, or two, the SMTP traffic is already marked with dscp 1. If you've using these values internally in your own network then they should be reset on all externally received traffic.

Sam




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.