|Microsoft Internet Security and Acceleration Server 2000|
When an alert contains a program to execute, ISA provides environment variables with the event information to the executing process. The environment variables contain the inserted strings data from the event log. For each inserted string a corresponding ALERT_PARAMETER_X is added, where X is the sequence number of that string.
You can use the environment variables to refine a response to an event. For example, you can use the string representing an attacker's IP address to respond appropriately to the attack. An appropriate response could be the creation of a packet filter that blocks all packets from that IP address.
The VBScript provided below creates a blocking packet filter for an IP address received in an attack event. It's based on the sample script StaticFilter.vbs.
In order to use the script as a response to an attack, you should create a new alert with the following parameters:
where %windir% is your Windows 2000 installation directory, and StaticFilter.vbs is the full path to the script you want to run.
'define the constants const fpcBlockingPacketFilter = 2 const fpcCustomFilterType = 1 const fpcPfAnyProtocolIpIndex = 0 const fpcPfDirectionIndexBoth = 3 const fpcPfAnyPort = 1 const fpcPfAnyRemotePort = 1 const fpcPfDefaultProxyExternalIp = 1 const fpcPfSingleHost = 2 Private Sub SetStaticPacketFilter() 'Create the root object Set ISA = CreateObject("FPC.Root") ISA.Refresh 'Get the containing array Set MyArray = ISA.Arrays.GetContainingArray ' Create blocked filter to all traffic from the attacker IP Set pf = MyArray.ArrayPolicy.IpPacketFilters.Add("Block attacker",fpcBlockingPacketFilter) pf.Description = "Block all traffic from attacker" ' set the filter parameters pf.Enabled = True pf.AllServers = True pf.FilterType = fpcCustomFilterType pf.ProtocolNumber = fpcPfAnyProtocolIpIndex ' allow bidirectional traffic so packets can be sent and received pf.PacketDirection = fpcPfDirectionIndexBoth ' define the local host type pf.SetLocalHost fpcPfDefaultProxyExternalIp ' set the local port type pf.LocalPortType = fpcPfAnyPort ' set the protocol port type & number pf.RemotePortType = fpcPfAnyRemotePort ' limited to only work with a specific attacker machine on the Internet Set WshShell = WScript.CreateObject("WScript.Shell") Set WshEnv = WshShell.Environment("Process") 'the environment variable 'ALERT_PARAMETER_1' contains the attacker IP pf.SetRemoteHost fpcPfSingleHost, WshEnv("ALERT_PARAMETER_1") MyArray.Save End Sub SetStaticPacketFilter