I'm looking for possibility to look into the data with ip-tables. not
proxies or anything - proxies are too slow ... imho
Mit freundlichen Grüßen / Best regards
Bruno Leonhardt
LPI Level 1 Certified
Watchguard Certified System Professional
CLP Domino R5 Systemadministrator
"Bodo Hoffmann"
One question to all those who are using IPTables to filter out patterns in traffic ....
HOW ??
IPTables is ( and please correct me if I am wrong ) a packet-filter with the ability to store the states of a connection and use them to increase the range of the rules used to filter packages .. a stateful inspection packetfilter .. ( works on ISO/OSI Layer 4/5 )
YOU are looking for an application level firewall ( e.g. a proxy ) which works on ISO/OSI Layer 7 ( Application ) and will be able to look INTO the package .. this can be done by mailfilters, virus- scanners, proxies etc...
You can use IPTables to forward those ports ( eg. 25 SMTP ) to those filters or use IPTables to block traffic which is sent over specific ports the virus uses to spread/communicate, but not use IPTables to SCAN for CONTENTpatterns.... !!!! ( Maybe the name packetfilter firewall is a bit confusing .. )
Bodo Hoffmann
----- Original Message ----- From:
To: "suse-sec" Sent: Monday, August 25, 2003 11:02 AM Subject: Re: AW: Re: AW: [suse-security] IPTables and filtering Traffic based on content ( e.g. sobig ) Philipp - could you please give me a hint how to build the rule for the pattern to filter out ???
Mit freundlichen Grüßen / Best regards Bruno Leonhardt
LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator
"mailinglists"
schrieb am 25.08.2003 10:50:21: A few hours ago I read, that it's possible ( with stateful inspection ) to filter by content.
Yes, it is. I filter code red that way. But to do so, you need to know
the pattern.
I googled for it but could not find anything.
Philipp
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
---- Start SpamAssassin results -12.60 points, 6 required; * 1.0 -- From: does not include a real name * -3.2 -- Has a In-Reply-To header * -0.6 -- BODY: Contains twice quoted reply * -6.6 -- BODY: Bayesian classifier says spam probability is 1 to 10% [score: 0.0138] * -3.2 -- BODY: Contains what looks like a quoted email text
---- End of SpamAssassin results