Blocking_the_ Nimda_ Worm

Problem this snippet solves:

This simple iRule should block the Nimda worm, if you should ever have need to do so.

Code :

when HTTP_REQUEST {
 set uri [string tolower [HTTP::uri]]
 if { ($uri contains "cmd.exe") or ($uri contains 
"root.exe") or ($uri contains "admin.dll") } {
  drop
 } else {
  pool serverpool
 }
}

## Or using a switch statement which sends a TCP reset for offending requests and sends the rest to the VIP's default pool:

when HTTP_REQUEST {
   switch [string tolower [HTTP::uri]] {
      "cmd.exe" -
      "root.exe" -
      "admin.dll" {
         reject
      }
   }
}
Published Mar 16, 2015
Version 1.0
application delivery
devops
iRules
security

Was this article helpful?

No CommentsBe the first to comment