Re: [squid-users] Nimda Virus problem

From: <Peter.van.der.Does@dont-contact.us>
Date: Thu, 20 Sep 2001 13:24:04 +0200

I did the following which works fine for me :

acl nimda_block url_regex "/usr/local/squid/etc/nimda_block"
http_access deny nimda_block

The contents of nimda_block
.*readme.eml*

Hope it helps, looking forward to other solutions as well

Peter van der Does

Tomas Andershem <tomas.andershem@calldok.com> on 20-09-2001 12:03:47

To: squid-users@squid-cache.org
cc: (bcc: Peter van der Does/VopakShipping-DOR/SHIP/Vopak)

Subject: [squid-users] Nimda Virus problem

Hi i turn to you in hope of some ideas. Sorry if this has been answer
already but i havent been able to find anything about it

Im trying to block out the Nimda worm in my squid proxy server and i
haveing some problems.
Im running a Linux RH6.2 system with the squid-2.4.STABLE2 package, newely
compiled..
And the Browsers i use is IE4.0 - IE5.5
i have entered an ACL ruleset that looks like this:

acl w1 url_regex eml
acl e1 url_regex -i eml
acl q1 urlpath_regex eml
acl a1 urlpath_regex -i eml
acl r1 urlpath_regex -i \.eml$
acl t1 url_regex -i \.eml$

http_access deny w1
http_access deny e1
http_access deny q1
http_access deny a1
http_access deny r1
http_access deny t1
..
..
more http_access allow rules for clients
..

The real probelm i have is that it passing trough the readme.eml
The access.log file gives me this message, that to looks like it are beeing
blocked, but it reatch my client just fine.

xxx.xxx.xxx.xxx - - [20/Sep/2001:11:43:33 +0200] "GET
http://brooker1.internet42.com/readme.eml HTTP/1.1" 403 1052 TCP_DENIED:NONE

The regexp filters works just fine if i have "eml" in the browsers url path
ex. http://www.anywhere.com/eml

Any ides would be apreicated

Tomas Andershem
Received on Thu Sep 20 2001 - 05:24:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:02:19 MST