ipchains code for strings (from: Re: [suse-security] WEB IIS cmd exe requests)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 18 September 2001 10:27 am, you wrote:
I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset
After searching google and man, I'm guessing that there's no equivalent for ipchains, and that a second tool such as Snort or the like would need to be used in my case...? TIA geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7qHIXo2oOGEnz8fYRAgViAJ0SwBbTHUzRDbP78ef76/8xh1NpBgCgtxbR Z9CDeyCVfKvJ4wgImLANIQo= =xk6Y -----END PGP SIGNATURE-----
Hi, On 19-Sep-01 Fluffy Bananachunks wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tuesday 18 September 2001 10:27 am, you wrote:
I have this for the older ones: $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .ida -m state --state ESTABLISHED -j REJECT --reject-with tcp-reset
After searching google and man, I'm guessing that there's no equivalent for ipchains, and that a second tool such as Snort or the like would need to be used in my case...?
You�re right, there�s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
TIA geo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org
iD8DBQE7qHIXo2oOGEnz8fYRAgViAJ0SwBbTHUzRDbP78ef76/8xh1NpBgCgtxbR Z9CDeyCVfKvJ4wgImLANIQo= =xk6Y -----END PGP SIGNATURE-----
Boris Lorenz
* Boris Lorenz;
You�re right, there�s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
Though not with ipchains yet a) configure the webserver for another port ie 81 and using return-rst to reset port 80 requests b) better I think use hogwash http://hogwash.sourceforge.net HTH -- Togan Muftuoglu
Togan Muftuoglu wrote:
Though not with ipchains yet hm, whats about a squid? redirect all traffic to the squid instead of passing it directly to the webserver and you can define acl's to deny these requests...
just my 2 cent -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Hi all! Boris Lorenz wrote:
. . .
You´re right, there´s no such thing like stateful inspection with ipchains, you should use snort as well if you want to tap into the flow of packets. The latest snortrules contain attack signatures for the Unicode exploit/cmd.exe, but you should be able to construct some default.ida-rules yourself. Writing snort rules is not too difficult and heavily documented. Just take a look at http://www.snort.org .
. . .
<bashful-stolen-from-another-list>
Subject: Snort sigs
Date: Wed, 19 Sep 2001 13:10:03 +0100
from: "JustinMacCarthy"
participants (5)
-
Boris Lorenz -
Dieter Huerten -
Fluffy Bananachunks -
Sven Michels -
Togan Muftuoglu