Date: Fri, 28 Sep 2001 11:49:36 +0800 From: Igor Podlesny <poige@morning.ru> To: Mike Tancsa <mike@sentex.net> Cc: security@FreeBSD.ORG Subject: Re: inspecting data with ipfw (ala hogwash) Message-ID: <1851113969924.20010928114936@morning.ru> In-Reply-To: <5.1.0.14.0.20010927231534.036396f0@192.168.0.12> References: <5.1.0.14.0.20010927231534.036396f0@192.168.0.12>
next in thread | previous in thread | raw e-mail | index | archive | help
> Does anyone know of any patches similar in function to what hogwash does ? > (http://hogwash.sourceforge.net). Basically something to deny packets > based on the content of the packets. With the latest iptables on LINUX, > you can now do matching on data portion as well. Something like > ipfw add 666 deny log tcp from any to me 80 data "*scripts/cmd.exe*" ? What if somebody just wanted to PUT a description containing these strings? ;-) Then, really cool nuts could fragment up the exploit code to the unrecognizeable (sorry for that term ;-), by this approach, state. Another interesting question is "What should be done to this TCP session". For e.g., this data wasn't in initial SYN segment, so the connection has been established. At least I can say that 'deny' is too harmful here, I suggest using 'reset' or 'unreach'. And one more thing to remember -- lots of ppl use statefull firewall set-up. In common, I agree that the idea is interesting... and in freebsd it could be implemented with something like 'divert' and 'NATPd' (Network Attack Tracking & Preventing ;-) which could be a userland daemon just like NATd is. BTW, thanx for the URL! > would be what I am after > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1851113969924.20010928114936>