Murphy moment (read: route command in XP isn't cooperating)

[MichealC4]

Per the subject. I know I'm doing something wrong here, but for some reason I'm only able to think on a single-track at the moment. :/

Here's the command I'm trying to do:

route add 127.0.0.1 MASK 255.255.255.0 127.0.0.1 METRIC 1 IF 2

I'm getting the error:

The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.

It's a long story, but I'm trying to keep any and all traffic from leaving the machine.

----------------------------
"Security is like an onion" - Unknown

 

[GlenJohnson]

Never tried what you are doing, but I would try making the subnet mask, 255.255.255.255 so there is only the one available ip. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
[red]Don't forget to shop @ theTek-Tips Store for Christmas![/red]
TTinChicago

 

[MichealC4]

I tried that too, and it didn't work. Thanks for looking though.

----------------------------
"Security is like an onion" - Unknown

 

[GlenJohnson]

Have you tried something simple like loaind zone alarm lite? It's free and has worked for me for years. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
[red]Don't forget to shop @ theTek-Tips Store for Christmas![/red]
TTinChicago

 

[MichealC4]

Well, let me explain what I am trying to do, maybe that will help.

After battling the various variants of Bagle, getting hit with slammer (don't ask me to splain that one ), I decided to dynamically quarantine a machine. Well, I would like to be able to do it at the switch level, but for various reasons, I can't. So, I got the crazy idea to toy with the IP stack. I'll setup a simple service that listens on a certain port, I can log in to it (or the backend can which will check the IPS, IDS, syslog, etc.), and run the command. That will (or supposed to) null route all traffic coming from the server/workstation so that the virus won't be able to spread itself. We will then get an alert (and/or the user calls us) and we will then work to correct it. I'm sorry, but I can't spend all day watching the overwhelming amount of logs. I barely get by as it is. So, that's my idea.

----------------------------
"Security is like an onion" - Unknown

 

[GlenJohnson]

You might be in the wrong forum. Re-post in
forum581
TCP/IP forum. I like the idea, and maybe we can help in there. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
[red]Don't forget to shop @ theTek-Tips Store for Christmas![/red]
TTinChicago

 

[MichealC4]

Will do, thanks.

----------------------------
"Security is like an onion" - Unknown

 

[JrNetEng]

Why dont you try doing a sniff trace locally? Why would you want to quarentine your machine? Just unplug it from the network and get a mini-hub and run a sniff trace.

 

[MichealC4]

JrNetMag: With all due respect, did you read my post above? I explained why your suggestion would not work ...

I spend a great deal of my time watching logs and running around tracking down machines. That is time that could be spent say running regular network scans, patching vulnerabilities that my previous scans found, working on the many projects that I have, and so on. So I would prefer to do a little watching of the logs and have the rest automated. Automation is a good thing for an admin. Particularly when said admin has enough to do as it is.

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt