Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Sep 2001 11:49:36 +0800
From:      Igor Podlesny <poige@morning.ru>
To:        Mike Tancsa <mike@sentex.net>
Cc:        security@FreeBSD.ORG
Subject:   Re: inspecting data with ipfw (ala hogwash)
Message-ID:  <1851113969924.20010928114936@morning.ru>
In-Reply-To: <5.1.0.14.0.20010927231534.036396f0@192.168.0.12>
References:  <5.1.0.14.0.20010927231534.036396f0@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help 

> Does anyone know of any patches similar in function to what hogwash does ? 
> (http://hogwash.sourceforge.net).  Basically something to deny packets 
> based on the content of the packets.  With the latest iptables on LINUX, 
> you can now do matching on data portion as well.  Something like

> ipfw add 666 deny log tcp from any to me 80 data "*scripts/cmd.exe*" ?

What  if  somebody  just  wanted to PUT a description containing these
strings? ;-)

Then,  really  cool  nuts  could  fragment  up the exploit code to the
unrecognizeable (sorry for that term ;-), by this approach, state.

Another  interesting  question  is  "What  should  be done to this TCP
session".  For  e.g.,  this data wasn't in initial SYN segment, so the
connection has been established. At least I can say that 'deny' is too
harmful here, I suggest using 'reset' or 'unreach'. And one more thing
to remember -- lots of ppl use statefull firewall set-up.

In  common,  I agree that the idea is interesting... and in freebsd it
could be implemented with something like 'divert' and 'NATPd' (Network
Attack Tracking & Preventing ;-) which could be a userland daemon just
like NATd is.

BTW, thanx for the URL!

> would be what I am after

>         ---Mike

> --------------------------------------------------------------------
> Mike Tancsa,                                      tel +1 519 651 3400
> Sentex Communications,                            mike@sentex.net
> Providing Internet since 1994                    www.sentex.net
> Cambridge, Ontario Canada                         www.sentex.net/mike


> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message



-- 
 Igor                            mailto:poige@morning.ru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1851113969924.20010928114936>