Forum Discussion

Yoda_34023's avatar
Yoda_34023
Icon for Nimbostratus rankNimbostratus
Feb 27, 2007

Combined Nimda/CodeRed and redirection with a wait time

Hi,

 

 

I'm trying to combine some great irules I received from the forum into a single script.

 

 

Here's my logic:

 

 

If the incoming request contains CodeRed or Nimda then log it. Send back a message to the client telling them you logged it and display their IP address (and any more information we can extract).

 

 

Now disgard the packet and then wait for 10 seconds, before redircting to the main site. (Not sure if this will work)

 

 

This is want I have done so far:

 

 

when HTTP_REQUEST {

 

set uri [string tolower [HTTP::uri]]

 

if { ($uri contains "default.ida")

 

or ($uri contains "cmd.exe")

 

or ($uri contains "root.exe")

 

or ($uri contains "admin.dll") }{

 

log local0. "Client: [IP::client_addr], requested

 

[HTTP::host]$uri and was discarded"

 

HTTP::respond 200 content "Message Title,We logged your IP do thing you should not be, your IP is [IP::client_addr]

 

Stop it or we will stop you

"

 

disgard

 

**** WOULD LIKE TO DISPLAY A REDIRECTING TO MAIN SITE IN 10 SECONDS, THEN REDIRECT IT ****

 

}

 

 

 

 

 

3 Replies

  • You could use a for loop (or nested for loops) to build in this delay, but as Colin has pointed out before, this isn't a desireable thing. Another option would be to build an unmonitored (and non-existing node) to send such connections to, tuning your tcp so that an LB_FAILED event happens around the 10s mark. Then you could do your redirect in the LB_FAILED event. Not sure either of these are desirable outcomes.
  • Thanks for the insight. Will wait to see if any more responses come in, then I can explore them.