RE: [despammed] [fw-wiz] Blocking IRC ....

From: Jose Eduardo B. Nunes Martins (jemart_at_student.dei.uc.pt)
Date: 01/23/04

  • Next message: Eric Appelboom: "RE: [despammed] [fw-wiz] Blocking IRC ...." 
    To: firewall-wizards@honor.icsalabs.com
Date: Fri, 23 Jan 2004 22:00:06 +0000 (WET)

    Is it my mistake or does this drops ALL packets with the specified strings?
    Would an HTML page with those strings have his (or some of his) packet droped?

    On Mon, 19 Jan 2004, Eric Appelboom wrote:

    >Or if you really want to be classy using just IPTables use string
    >matching support
    >
    >iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string "JOIN
    >\: \#"
    >iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string
    >"PRIVMSG "
    >
    >http://www.securityfocus.com/infocus/1531
    >
    >Cheers
    >Eric
    >
    >-----Original Message-----
    >From: Eric Appelboom
    >Sent: 19 January 2004 10:54 AM
    >To: 'Vishwanath V'; firewall-wizards@honor.icsalabs.com
    >Subject: RE: [despammed] [fw-wiz] Blocking IRC ....
    >
    >Use snort with flexresp
    >
    >RULE-LOCKED:alert tcp $HOME_NET any -> !$SAFE_IRC any (msg:"CHAT IRC
    >channel join"; flow:to_server,established; content:"JOIN \: \#"; nocase;
    >offset:0; classtype:misc-activity; sid:1729; rev:2; resp: rst_all;)
    >RULE-LOCKED:alert tcp $HOME_NET any -> !$SAFE_IRC any (msg:"CHAT IRC
    >message"; flow:to_server,established; content:"PRIVMSG "; nocase;
    >offset:0; classtype:misc-activity; sid:1463; rev:3; resp: rst_all;)
    >
    >
    >I defined !$SAFE_IRC as IRC server I don't block.
    >This also block IRC over nonstandard ports.
    >
    >Regards
    >Eric
    >
    >-----Original Message-----
    >From: Vishwanath V [mailto:thelinuxguyis@yahoo.co.in]
    >Sent: 14 January 2004 12:47 PM
    >To: firewall-wizards@honor.icsalabs.com
    >Subject: [despammed] [fw-wiz] Blocking IRC ....
    >
    >Hi guys,
    > I just joined the list.
    >I need some help wrt iptables.
    >I have a linux gateway machine acting as a IP_masq/firewall.
    >My policy is a basic deny all.
    >I wana block machnies on my LAN from using irc client.
    >
    >Thanks in advance.
    >Visu
    >
    >________________________________________________________________________
    >Yahoo! India Mobile: Download the latest polyphonic ringtones.
    >Go to http://in.mobile.yahoo.com
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >----------------------------------------------
    >Filtered by despammed.com. Tracer: /headers/TAA027571074475835 Consider
    >a PayPal donation to help Despammed stay a step or two ahead of the bad
    >guys.
    >A new PayPal donation button is now on the home page. Thanks!
    >
    >
    >_______________________________________________
    >firewall-wizards mailing list
    >firewall-wizards@honor.icsalabs.com
    >http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > 

    -- 
JoseM
"Compaq are the most poorly designed PCs I've ever seen.." - Andrew
http://7mares.terravista.pt/zemartins
telnet://spunge.org:6969
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Eric Appelboom: "RE: [despammed] [fw-wiz] Blocking IRC ...."