Re: inspecting data with ipfw (ala hogwash)

From: Igor Podlesny (poige@morning.ru)
Date: 09/28/01


Date: Fri, 28 Sep 2001 11:49:36 +0800
From: Igor Podlesny <poige@morning.ru>
To: Mike Tancsa <mike@sentex.net>


> Does anyone know of any patches similar in function to what hogwash does ?
> (http://hogwash.sourceforge.net). Basically something to deny packets
> based on the content of the packets. With the latest iptables on LINUX,
> you can now do matching on data portion as well. Something like

> ipfw add 666 deny log tcp from any to me 80 data "*scripts/cmd.exe*" ?

What if somebody just wanted to PUT a description containing these
strings? ;-)

Then, really cool nuts could fragment up the exploit code to the
unrecognizeable (sorry for that term ;-), by this approach, state.

Another interesting question is "What should be done to this TCP
session". For e.g., this data wasn't in initial SYN segment, so the
connection has been established. At least I can say that 'deny' is too
harmful here, I suggest using 'reset' or 'unreach'. And one more thing
to remember -- lots of ppl use statefull firewall set-up.

In common, I agree that the idea is interesting... and in freebsd it
could be implemented with something like 'divert' and 'NATPd' (Network
Attack Tracking & Preventing ;-) which could be a userland daemon just
like NATd is.

BTW, thanx for the URL!

> would be what I am after

> ---Mike

> --------------------------------------------------------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet since 1994 www.sentex.net
> Cambridge, Ontario Canada www.sentex.net/mike

> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
 Igor                            mailto:poige@morning.ru
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message