Script VBS to create a IP packet filter whem intrusion detected event happen

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Erasmo C Pilecc » Wed, 07 Nov 2001 06:17:50



Hi all,

I had a few half-scan attacks and I found out how my ISA
Server can create automatic IP Packet Filter to block the
attacker.I did it.

If same one are looking for it the script are below.

Erasmo C Pilecco

Copy from help SDK of ISA Server with few modified to
create rule name with IP from attacker:

Environment Variable Example
The VBScript provided below creates a blocking packet
filter for an IP address received in an attack event. It's
based on the sample script StaticFilter.vbs.

In order to use the script as a response to an attack, you
should create a new alert with the following parameters:

Event - "Intrusion detected".
Additional condition - a condition of interest to you,
such as "Well-known port scan attack".
Select Run a program as the action.
Specify the following command line:

%windir%\system32\cscript.exe CreateStaticFilter.vbs

where %windir% is your Windows 2000 installation
directory, and StaticFilter.vbs is the full path to the
script you want to run.

CreateStaticFilter.vbs
---------------------------------------
'define the constants
const fpcBlockingPacketFilter = 2
const fpcCustomFilterType = 1
const fpcPfAnyProtocolIpIndex = 0
const fpcPfDirectionIndexBoth = 3
const fpcPfAnyPort = 1
const fpcPfAnyRemotePort = 1
const fpcPfDefaultProxyExternalIp = 1
const fpcPfSingleHost = 2

Private Sub SetStaticPacketFilter()
'Create the root object
Set ISA = CreateObject("FPC.Root")
ISA.Refresh

'Get the containing array
Set MyArray = ISA.Arrays.GetContainingArray

' limited to only work with a specific attacker machine on
the Internet

Set WshShell = WScript.CreateObject("WScript.Shell")
Set WshEnv = WshShell.Environment("Process")
Dim Filter_Name
Filter_Name = "Deny attacker " & WshEnv
("ALERT_PARAMETER_1")

' Create blocked filter to all traffic from the attacker IP
Set pf = MyArray.ArrayPolicy.IpPacketFilters.Add(
Filter_Name , fpcBlockingPacketFilter)
pf.Description = "Block all traffic from attacker"

' set the filter parameters
pf.Enabled = True
pf.AllServers = True
pf.FilterType = fpcCustomFilterType
pf.ProtocolNumber = fpcPfAnyProtocolIpIndex

' allow bidirectional traffic so packets can be sent and
received
pf.PacketDirection = fpcPfDirectionIndexBoth

' define the local host type
pf.SetLocalHost fpcPfDefaultProxyExternalIp

' set the local port type
pf.LocalPortType = fpcPfAnyPort

' set the protocol port type & number
pf.RemotePortType = fpcPfAnyRemotePort

'the environment variable 'ALERT_PARAMETER_1' contains the
attacker IP
pf.SetRemoteHost fpcPfSingleHost, WshEnv
("ALERT_PARAMETER_1")

MyArray.Save
End Sub

SetStaticPacketFilter

 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Mariette Knap [MS MVP » Wed, 07 Nov 2001 06:35:41


Hi,

This is an excellent idea but.....in case someone attacks your server from
an IP address that was dynamically assigned by the ISP could be the cause
that other people using the same IP address are blocked from your server.
That is NOT what you want I guess.

I am looking into this VBscript and I will try to modify it so that it
blocks all Nimda or Code Red Attacks. Those attacks are most the time from
static IP adresses.

--
Bye
Mariette Knap [MS SBS MVP]
SBS 2000 FAQ Site: http://www.sbs2000.info/



> Hi all,

> I had a few half-scan attacks and I found out how my ISA
> Server can create automatic IP Packet Filter to block the
> attacker.I did it.

> If same one are looking for it the script are below.

> Erasmo C Pilecco

> Copy from help SDK of ISA Server with few modified to
> create rule name with IP from attacker:

> Environment Variable Example
> The VBScript provided below creates a blocking packet
> filter for an IP address received in an attack event. It's
> based on the sample script StaticFilter.vbs.

> In order to use the script as a response to an attack, you
> should create a new alert with the following parameters:

> Event - "Intrusion detected".
> Additional condition - a condition of interest to you,
> such as "Well-known port scan attack".
> Select Run a program as the action.
> Specify the following command line:

> %windir%\system32\cscript.exe CreateStaticFilter.vbs

> where %windir% is your Windows 2000 installation
> directory, and StaticFilter.vbs is the full path to the
> script you want to run.

> CreateStaticFilter.vbs
> ---------------------------------------
> 'define the constants
> const fpcBlockingPacketFilter = 2
> const fpcCustomFilterType = 1
> const fpcPfAnyProtocolIpIndex = 0
> const fpcPfDirectionIndexBoth = 3
> const fpcPfAnyPort = 1
> const fpcPfAnyRemotePort = 1
> const fpcPfDefaultProxyExternalIp = 1
> const fpcPfSingleHost = 2

> Private Sub SetStaticPacketFilter()
> 'Create the root object
> Set ISA = CreateObject("FPC.Root")
> ISA.Refresh

> 'Get the containing array
> Set MyArray = ISA.Arrays.GetContainingArray

> ' limited to only work with a specific attacker machine on
> the Internet

> Set WshShell = WScript.CreateObject("WScript.Shell")
> Set WshEnv = WshShell.Environment("Process")
> Dim Filter_Name
> Filter_Name = "Deny attacker " & WshEnv
> ("ALERT_PARAMETER_1")

> ' Create blocked filter to all traffic from the attacker IP
> Set pf = MyArray.ArrayPolicy.IpPacketFilters.Add(
> Filter_Name , fpcBlockingPacketFilter)
> pf.Description = "Block all traffic from attacker"

> ' set the filter parameters
> pf.Enabled = True
> pf.AllServers = True
> pf.FilterType = fpcCustomFilterType
> pf.ProtocolNumber = fpcPfAnyProtocolIpIndex

> ' allow bidirectional traffic so packets can be sent and
> received
> pf.PacketDirection = fpcPfDirectionIndexBoth

> ' define the local host type
> pf.SetLocalHost fpcPfDefaultProxyExternalIp

> ' set the local port type
> pf.LocalPortType = fpcPfAnyPort

> ' set the protocol port type & number
> pf.RemotePortType = fpcPfAnyRemotePort

> 'the environment variable 'ALERT_PARAMETER_1' contains the
> attacker IP
> pf.SetRemoteHost fpcPfSingleHost, WshEnv
> ("ALERT_PARAMETER_1")

> MyArray.Save
> End Sub

> SetStaticPacketFilter


 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Jame » Wed, 07 Nov 2001 17:06:10



Quote:> Hi,

> This is an excellent idea but.....in case someone attacks your server from
> an IP address that was dynamically assigned by the ISP could be the cause
> that other people using the same IP address are blocked from your server.
> That is NOT what you want I guess.

> I am looking into this VBscript and I will try to modify it so that it
> blocks all Nimda or Code Red Attacks. Those attacks are most the time from
> static IP adresses.

I'm not sure I understand the wisdom of blocking Code Red / Nimda "attacks".  Given that we know exactly what is causing the
"attack", the virus/trojan code has been fully reported and is well characterised, and we know that our servers [as long as they are
patched appropriately] aren't vulnerable to this *particular* attack, why expend effort on blocking them?  It won't save any
bandwidth, will it?  It makes the log files look a bit cleaner, but that appears to be all....   or am I missing something ?
(again?)

James

 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Mariette Knap [MS MVP » Wed, 07 Nov 2001 18:43:27


Indeed is the only benefit that it keeps the logs clean but if you get 400
attacks every day that can help to keep the logs small. On one day my log
was 16 Mb because of a tremendous amount of attacks.

--
Bye
Mariette Knap [MS SBS MVP]
Search MS Knowledge Base at http://support.microsoft.com/directory
Visit the Small Business Server Homepage at
http://www.microsoft.com/sbserver/



Quote:> > Hi,

> > This is an excellent idea but.....in case someone attacks your server
from
> > an IP address that was dynamically assigned by the ISP could be the
cause
> > that other people using the same IP address are blocked from your
server.
> > That is NOT what you want I guess.

> > I am looking into this VBscript and I will try to modify it so that it
> > blocks all Nimda or Code Red Attacks. Those attacks are most the time
from
> > static IP adresses.

> I'm not sure I understand the wisdom of blocking Code Red / Nimda

"attacks".  Given that we know exactly what is causing the
Quote:> "attack", the virus/trojan code has been fully reported and is well

characterised, and we know that our servers [as long as they are
Quote:> patched appropriately] aren't vulnerable to this *particular* attack, why

expend effort on blocking them?  It won't save any
Quote:> bandwidth, will it?  It makes the log files look a bit cleaner, but that

appears to be all....   or am I missing something ?

- Show quoted text -

Quote:> (again?)

> James

 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Steve Foster [SBS MVP » Wed, 07 Nov 2001 19:50:10


What happens if a new vulnerability is found & exploited. The servers which
are already nimda/CR will probably get that too, and start pounding on your
server again. If it's a new vulnerability - bang goes your server.

If you've locked them out completely, as Mariette is intending to do, then
they won't be able to get you under any circumstance.

Additionally, if you _are_ running a public IIS, then there should be a
performance saving as the requests will be filtered out by ISA and never
make it to IIS (so IIS won't have to process them).

--
Steve Foster [SBS MVP]
--------------------------
Please reply only to the newsgroups.



> Indeed is the only benefit that it keeps the logs clean but if you get 400
> attacks every day that can help to keep the logs small. On one day my log
> was 16 Mb because of a tremendous amount of attacks.

> --
> Bye
> Mariette Knap [MS SBS MVP]
> Search MS Knowledge Base at http://support.microsoft.com/directory
> Visit the Small Business Server Homepage at
> http://www.microsoft.com/sbserver/




message

> > > Hi,

> > > This is an excellent idea but.....in case someone attacks your server
> from
> > > an IP address that was dynamically assigned by the ISP could be the
> cause
> > > that other people using the same IP address are blocked from your
> server.
> > > That is NOT what you want I guess.

> > > I am looking into this VBscript and I will try to modify it so that it
> > > blocks all Nimda or Code Red Attacks. Those attacks are most the time
> from
> > > static IP adresses.

> > I'm not sure I understand the wisdom of blocking Code Red / Nimda
> "attacks".  Given that we know exactly what is causing the
> > "attack", the virus/trojan code has been fully reported and is well
> characterised, and we know that our servers [as long as they are
> > patched appropriately] aren't vulnerable to this *particular* attack,
why
> expend effort on blocking them?  It won't save any
> > bandwidth, will it?  It makes the log files look a bit cleaner, but that
> appears to be all....   or am I missing something ?
> > (again?)

> > James

 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Jame » Wed, 07 Nov 2001 21:25:34



Quote:> What happens if a new vulnerability is found & exploited. The servers which
> are already nimda/CR will probably get that too, and start pounding on your
> server again. If it's a new vulnerability - bang goes your server.
> If you've locked them out completely, as Mariette is intending to do, then
> they won't be able to get you under any circumstance.

What about all the Nimda probes from machines with dynamic IP addresses?

Quote:> Additionally, if you _are_ running a public IIS, then there should be a
> performance saving as the requests will be filtered out by ISA and never
> make it to IIS (so IIS won't have to process them).

Is there no performance penalty for having hundreds, thousands, or even tens of thousands of distinct packet filters configured in
ISA?

Is there a limit to the number of packet filters one can configure in ISA?

James

 
 
 

Script VBS to create a IP packet filter whem intrusion detected event happen

Post by Steve Foster [SBS MVP » Thu, 08 Nov 2001 00:31:10


Longer term, we have to hope ISP's will take more responsibility (but I'm
not holding my breath).

You wouldn't get that many filters - you'd reach a point whereby instead of
creating filters for specific IP addresses, you'd block ranges instead.

As far as performance goes, ISA *has* to inspect every incoming packet
anyway, but yes, if you were to have thousands of filters, performance would
probably suffer. It's all a trade-off - somewhere there'll be a point where
the number of ISA filters makes it more economic to let IIS handle the
blocking.

--
Steve Foster [SBS MVP]
--------------------------
Please reply only to the newsgroups.



Quote:> > What happens if a new vulnerability is found & exploited. The servers
which
> > are already nimda/CR will probably get that too, and start pounding on
your
> > server again. If it's a new vulnerability - bang goes your server.
> > If you've locked them out completely, as Mariette is intending to do,
then
> > they won't be able to get you under any circumstance.

> What about all the Nimda probes from machines with dynamic IP addresses?

> > Additionally, if you _are_ running a public IIS, then there should be a
> > performance saving as the requests will be filtered out by ISA and never
> > make it to IIS (so IIS won't have to process them).

> Is there no performance penalty for having hundreds, thousands, or even

tens of thousands of distinct packet filters configured in

- Show quoted text -

Quote:> ISA?

> Is there a limit to the number of packet filters one can configure in ISA?

> James

 
 
 

1. Event 14120 - ISA cannot create packet filter for all external IP addresses

It seems that my internet connection goes up and down
(which it really doesn't --- DSL).

When a client requests a web page using IE5, sometimes he
gets it, sometimes he doesn't.

When he doesn't get it, the Event Logs Application view is
populated with the 14120 Event saying that ISA cannot
create a packet filter for the webpage the client
requested.

Microsoft's knowledge base says that this event could be
ignored if my LAT is constructed properly:

http://support.microsoft.com/support/kb/articles/Q288/3/96.
ASP?LN=EN-
US&SD=gn&FR=0&qry=14120&rnk=2&src=DHCS_MSPSS_gn_SRCH&SPR=SB
S

Then it tries to expalin how to resolve it (I cannot
understand this part -- is it saying to create a host
record for every website out there??????)

Anyway, I don't want to ignore this as it seems this is
causing intermittent problems with internet connectivity.

Also, things seem to work better if I reboot the SBS
Server. For a while anyway...

Any ideas would be GREATLY appreciated.

Bob Brislin
(starting to dislike SBS immensely)

2. Question about OSPF stub networks...

3. ISA Setup: Packet Filtering, Intrusion Detection, and IP Routing

4. Access Control List

5. Help with creating IP Packet Filter ...

6. PCMCIA problems

7. SQL Server trigger to create a Ip Packet Filter on ISA server

8. ******* TELEJOB *******

9. Event 120 - The Proxy Service could not create a packet filter

10. ISA Server Event 14120 Is Logged and Packet Filter Cannot Be Created

11. Proxy Packet Filters versus Router Packet Filters

12. Event ID 46: Packet filter protocol violation alert

13. Cannot create a packet filter - routing table