Re: apache and nimbda

From: Craig Knox (crg@monster.gotadsl.co.uk)
Date: 01/29/02


From: Craig Knox <crg@monster.gotadsl.co.uk>
To: Christophe Zwecker <doc@zwecker.de>
Date: 29 Jan 2002 14:16:01 +0000

On Mon, 2002-01-28 at 21:29, Christophe Zwecker wrote:
> thinkin of that Ive got a customer with IIS server which he cannot
> change for apache, for some reason, I wonder which linux based tools
> (the firewal runs on linux) there are to block nimda. Can a proxy acting
> as a reverse proxy do it ?
>
> Anyone done this before ?

I use snort-iptables and it works great. Its very easy to setup, you
just need the a recent kernel that supports queuing to userspace and a
patched version of snort from ->
 http://w3.cablespeed.com/~rvmcmil/

If you use something to just drop matching packets this will keep
sessions open on your webserver till they timeout, but with
snort-iptables you can get it to drop the packet and reset the session
on the webserver (and ties up the worm for a while as it keeps
retrying).