From owner-freebsd-security Fri Sep 28 7:56:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from exchmx2.lsuhsc.edu (exchmx2.lsuhsc.edu [155.58.212.90]) by hub.freebsd.org (Postfix) with ESMTP id E328737B405 for ; Fri, 28 Sep 2001 07:56:39 -0700 (PDT) Received: by exchmx2.lsuhsc.edu with Internet Mail Service (5.5.2653.19) id ; Fri, 28 Sep 2001 09:56:28 -0500 Message-ID: From: "Mire, John" To: 'Igor Podlesny' , Mike Tancsa Cc: security@FreeBSD.ORG Subject: RE: inspecting data with ipfw (ala hogwash) Date: Fri, 28 Sep 2001 09:56:26 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org our use of snort seems to indicate that fragmenting the code doesn't work b/c of the frag2 preprocessor that reassembles packets and sends them through the detection engine... -----Original Message----- From: Igor Podlesny [mailto:poige@morning.ru] Sent: Thursday, September 27, 2001 22:50 To: Mike Tancsa Cc: security@FreeBSD.ORG Subject: Re: inspecting data with ipfw (ala hogwash) > Does anyone know of any patches similar in function to what hogwash does ? > (http://hogwash.sourceforge.net). Basically something to deny packets > based on the content of the packets. With the latest iptables on LINUX, > you can now do matching on data portion as well. Something like > ipfw add 666 deny log tcp from any to me 80 data "*scripts/cmd.exe*" ? What if somebody just wanted to PUT a description containing these strings? ;-) Then, really cool nuts could fragment up the exploit code to the unrecognizeable (sorry for that term ;-), by this approach, state. Another interesting question is "What should be done to this TCP session". For e.g., this data wasn't in initial SYN segment, so the connection has been established. At least I can say that 'deny' is too harmful here, I suggest using 'reset' or 'unreach'. And one more thing to remember -- lots of ppl use statefull firewall set-up. In common, I agree that the idea is interesting... and in freebsd it could be implemented with something like 'divert' and 'NATPd' (Network Attack Tracking & Preventing ;-) which could be a userland daemon just like NATd is. BTW, thanx for the URL! > would be what I am after > ---Mike > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message