Worm Detection Using Cisco NBAR

Recently I came across a interesting article about NBAR, that is it can classify Worms on the network. In most of the case, worms spread in to the network through email attachment or infected web browser.

Email attachment can be filtered setting appropriate rules on the SMTP server (Mail Server), But the worms spread also through Web browser. This we can be filtered based on NBAR classification.

What is NBAR?

Network Based Application Recognition, a classification engine in Cisco IOS, has the ability to detect a wide variety of applications via deep packet inspection using PDLMs (Packet Description Language Module – The PDLMs contain the rules used by NBAR to recognize an application.).

NBAR is a more of an intelligent classification and has the ability to identify web based and client-server applications that uses dynamic ports as well as those using well known port numbers (like Bit Torrent). This helps the network administrator identify what really is going on in the network and then define QoS policies to ensure that the bandwidth is used for its original purpose – run business applications.

Here are the few examples configuration on the Cisco devices which can help you to filter malicious traffic.

Router(config)#class−map match−any http−hacks

Router(config−cmap)#match protocol http url “*.ida*”

Router(config−cmap)#match protocol http url “*cmd.exe*”

Router(config−cmap)#match protocol http url “*root.exe*”

Router(config−cmap)#match protocol http url “*readme.eml*”

Once the router is configured to filter worms as mentioned above, the NBAR engine will do a deep packet analysis on traffic passing through the router interface and if the traffic matches above class then administrator can filter them using access list or they can do policy base routing for monitoring infected hosts.

How NetFlow Analyzer can help ?

NetFlow Analyzer is capable of classifying generate NBAR reports via SNMP and Flexible NetFlow. Click here to know how to configure the router for FNF NBAR.

NBAR can also classifies HTTP URL specific traffic,  With NBAR feature in NetFlow Analyzer you can keep track of anonymous http traffic as well as you can monitor traffic from infected hosts.

You can download the 30 day trial of ManageEngine NetFlow Analyzer from here.

Reach us on Facebook at NetFlow Analyzer TAC

Catch up with the latest updates in the industry, through our LinkedIn community Bandwidth Monitoring and Traffic Analysis for Enterprises

Reference:

http://www.cisco.com/image/gif/paws/4615/nimda.pdf

 

Praveen Kumar

NetFlow Analyzer Technical Team

Download | Interactive Demo  | Twitter | Customers

You Can Learn More About the ManageEngine Product Line By Going to www.ManageEngine.ca

The original article/video can be found at Worm Detection Using Cisco NBAR

About the Author: Shannon Lewis

Leave a Reply Cancel reply