Nevermind... just tried it out on my busy servers and its way too CPU intensive. I think I need to do better matching.<br><br>
<div class="gmail_quote">On Sat, Jun 28, 2008 at 3:30 PM, Geoff Goas <<a href="mailto:gitman@gmail.com">gitman@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">
<div>If your servers are being crashed due to the 'stat 7' packet exploit, use the following iptables rules to block that particular packet:</div>
<div> </div>
<div>-A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp --to 65535 -j LOG --log-prefix "COD4STATS_EXPLOIT "<br>-A PREROUTING -m string --hex-string "|737461747300007907|" --algo kmp --to 65535 -j DROP<br>
</div>
<div>The first rule will log the attempt to syslog, the second will drop the packet.</div>
<div><br><font color="#888888">-- <br>Geoff Goas<br>Network Engineer </font></div></blockquote></div><br><br clear="all"><br>-- <br>Geoff Goas<br>Network Engineer