iptables anti-nimda/my project...

From: Champ Clark III (champ@vistech.net)
Date: 09/23/01

From: Champ Clark III <champ@vistech.net>
Message-Id: <200109211651.LAA12427@bundy.vistech.net>
Subject: iptables anti-nimda/my project... 
To: focus-linux@securityfocus.com
Date: Fri, 21 Sep 101 11:51:55 -0500 (EST)

> > Hi everyone
> > I don't suppose one of our iptables gurus out there has an iptables rule
> > to filter out this damn nimda thing? I'm really annoyed about it
> > filling up my apache logz and would love to drop the packets 'ere they
> > get to the apache server . . .
> You may be able to deny it with the string matching patch from the patch-o-matic
> section in iptables 1.2.3:
> string.patch
> The string patch:
> Author: Emmanuel Roger <winfield@freegates.be>
> Status: Working
> This patch adds CONFIG_IP_NF_MATCH_STRING which allows you to
> match a string in a whole packet.
> Be aware that the patch-o-matic is not always considered to be stable and bug-free.
> Read the iptables INSTALL file for information on how to apply the patches.
> Oh, and the string match? I guess "c+dir" will take care of most of it. Read the
> security focus analysis available at
> <URL:http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf>
> Hope this helps,

        This bring up something I was about to start working on....
Now, maybe I won't bother... I've got several questions though.....

        Does the patch cause a considerable amount of overhead (CPU

        It this something that will eventually make it into the linux
kernel source tree?

        My idea was to write a simple TCP redirect routine that looked
for these sorts of things (ie - "c+dir", etc). The redirect routine
would store known "exploitz" for NT servers in a file.... When the
TCP redirector is executed, it would load these into a array, and
parse incoming connection for these strings _before_ redirecting them
to the NT server.... This way, you could firewall the hell out of the
NT server (making port 80 only accessable by you LAN/Network), and
use your favorite *nix based system to protect/scan incoming connections.

        A new IIS security problems comes out? No problem.....
add it to the exploit file, kill -1 the redirector, and you're
NT server is virtually "patched" until the admin can get to it.

        With this string kernel patch, should I even bother with
this project now?

                                        - Champ Clark
                                          Vistech Communications, Inc