Re: iptables anti-nimda anyone?

From: teo@gecadsoftware.com
Date: 09/24/01


Date: Mon, 24 Sep 2001 12:21:05 +0300
From: teo@gecadsoftware.com
To: <focus-linux@securityfocus.com>
Subject: Re: iptables anti-nimda anyone?
Message-ID: <20010924122105.B19682@gecadsoftware.com>

Hi R!
On Fri, 21 Sep 2001, R Dicaire wrote:

> Forwarded From: Sven Michels <smichels@intradat.com>
>
> > if you've patched the kernel with string match support: yes:
> > $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m state \
> > --state ESTABLISHED -j REJECT --reject-with tcp-reset
> > (same works wizh .ida for the old one)
>
> Where can this patch be had if its not included with the kernel, or iptables
> src? I can see where having this string filter could be handy.

it's not activated by default (considered experimental); you must run `make
patch-o-matic' or `most-of-pom' (iirc) if you want it in (and yap, in iptables
src).
 
> Also, could this filter rule be bypassed with some unicode representation of
> said string?

good point.
as far as could understand from ipt_string.c it matches exactly the string
that was provided, so it can be tricked (unless you come with several versions
of the rule to take that into account).

ciao

-- teodor



Relevant Pages

  • Re: IPTABLES STRING PATCH LIMITATION
    ... I really think you need to have a rethink about your use of IPTables. ... STRING can put a lot of load on a computer as every single ... You can also tweak the web server to look at the url's before they are ...
    (comp.os.linux.networking)
  • iptables anti-nimda/my project...
    ... Subject: iptables anti-nimda/my project... ... > You may be able to deny it with the string matching patch from the patch-o-matic ... add it to the exploit file, kill -1 the redirector, and you're ... NT server is virtually "patched" until the admin can get to it. ...
    (Focus-Linux)
  • Re: iptables anti-nimda anyone?
    ... Subject: iptables anti-nimda anyone? ... I can see where having this string filter could be handy. ... extensions you want to generate kernel patches for. ... The string patch: ...
    (Focus-Linux)
  • Scripting fun...
    ... people who know what they're doing to laugh at. ... and every IP trying to retrieve a file of that name (or string) I ... Yahoo web crawlers. ... not already in the iptables to the iptables drop list. ...
    (Ubuntu)
  • Re: iptables anti-nimda anyone?
    ... Subject: iptables anti-nimda anyone? ... You may be able to deny it with the string matching patch from the patch-o-matic ... Oh, and the string match? ...
    (Focus-Linux)