Nimda and Iptables

[JVD]

Hi, 

This is far from the netfilter topic, but if it can help....

Here is a way to stop logging Nimda attacks on Apache.
Modify/add in httpd.conf

- for access log  - don't log any request attempts made by nimda :
SetEnvIf Request_URI \cmd.exe|\root.exe nimda
Customlog /../../access_log common env=!nimda

- for error log - don't log and don't send any 404 error page to nimda :
Add in
<IfModule mod_alias.c>
 RedirectMatch (.*)\root.exe$ http://NimdaIsNotForMe.invalid$1
 RedirectMatch (.*)\cmd.exe$ http://NimdaIsNotForMe.invalid$1
</IfModule>

That's all.

Unfortunately i can't use
iptables -A INPUT -i eth0 -j filt_match -d $EXTERNAL -m string --string "cmd.exe" -p tcp --dport 80 
it makes an error :( (it is not implemented in iptables v1.2.1 ?)
Is it a good way ? With this rule can I read a web page that talk about nimda ?
I don't think so...

Regards 
Jean

----- Original Message ----- 
From: "Trevor Morrison" <trevor@hailix.com>
To: "netfilter" <netfilter@lists.samba.org>
Sent: Tuesday, October 02, 2001 8:02 PM
Subject: Nimda and Iptables


> HI,
> 
> This is the first time I have posed a question to the list though I have 
> been reading it on a regular basis and whence my question.  I am running 
> a 2.4.9 kernel with 1.2.3 Iptables.  I have noticed there have been 
> discussions concerning blocking the Nimda virus, but did not read about 
> a definite way to do it.  Is there a way using Iptables to block(DROP) 
> the virus?  It is rapidly filling up my logs and becoming a pain. 
>  Thanks in advance.
> 
> Trevor