Re: iptables anti-nimda anyone?From: email@example.com
- Previous message: Eric Landuyt: "Re: iptables anti-nimda anyone?"
- In reply to: R Dicaire: "Re: iptables anti-nimda anyone?"
- Next in thread: Manuel Guesdon: "Re: iptables anti-nimda anyone?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Sep 2001 12:21:05 +0300 From: firstname.lastname@example.org To: <email@example.com> Subject: Re: iptables anti-nimda anyone? Message-ID: <20010924122105.B19682@gecadsoftware.com>
On Fri, 21 Sep 2001, R Dicaire wrote:
> Forwarded From: Sven Michels <firstname.lastname@example.org>
> > if you've patched the kernel with string match support: yes:
> > $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m state \
> > --state ESTABLISHED -j REJECT --reject-with tcp-reset
> > (same works wizh .ida for the old one)
> Where can this patch be had if its not included with the kernel, or iptables
> src? I can see where having this string filter could be handy.
it's not activated by default (considered experimental); you must run `make
patch-o-matic' or `most-of-pom' (iirc) if you want it in (and yap, in iptables
> Also, could this filter rule be bypassed with some unicode representation of
> said string?
as far as could understand from ipt_string.c it matches exactly the string
that was provided, so it can be tricked (unless you come with several versions
of the rule to take that into account).