Re: iptables anti-nimda anyone?

From: teo@gecadsoftware.com
Date: 09/24/01


Date: Mon, 24 Sep 2001 12:21:05 +0300
From: teo@gecadsoftware.com
To: <focus-linux@securityfocus.com>
Subject: Re: iptables anti-nimda anyone?
Message-ID: <20010924122105.B19682@gecadsoftware.com>

Hi R!
On Fri, 21 Sep 2001, R Dicaire wrote:

> Forwarded From: Sven Michels <smichels@intradat.com>
>
> > if you've patched the kernel with string match support: yes:
> > $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m state \
> > --state ESTABLISHED -j REJECT --reject-with tcp-reset
> > (same works wizh .ida for the old one)
>
> Where can this patch be had if its not included with the kernel, or iptables
> src? I can see where having this string filter could be handy.

it's not activated by default (considered experimental); you must run `make
patch-o-matic' or `most-of-pom' (iirc) if you want it in (and yap, in iptables
src).
 
> Also, could this filter rule be bypassed with some unicode representation of
> said string?

good point.
as far as could understand from ipt_string.c it matches exactly the string
that was provided, so it can be tricked (unless you come with several versions
of the rule to take that into account).

ciao

-- teodor