AW: [suse-security] IPTables and filtering Traffic based on content ( e.g. sobig )
does anybody know a short solution how to check if a special squence is inside a packet ( like the string of sobig ) ? I guess you want to block Sobig.F before it hits your MTA. There exist mail filters for sendmail, exim and postfix. Have a look at this: http://www.heise.de/newsticker/data/dab-20.08.03-004/ If you have postfix, you shouldn't use the solution suggested on this page, but use the original solution. There is a link on
Hi Bruno, the page, but for your convenience I give you the URL in this mail: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This one works great for us. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth at impact dot de
Hi, thank's - that helps. I'm still looking for a rule to block packets content based with ip-tables. ( I understood this "is" stateful inspection ) Mit freundlichen Grüßen / Best regards Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator "Ulrich Roth" <Roth@impact.de> schrieb am 25.08.2003 09:22:10:
Hi Bruno,
does anybody know a short solution how to check if a special squence is inside a packet ( like the string of sobig ) ? I guess you want to block Sobig.F before it hits your MTA. There exist mail filters for sendmail, exim and postfix. Have a look at this: http://www.heise.de/newsticker/data/dab-20.08.03-004/ If you have postfix, you shouldn't use the solution suggested on this page, but use the original solution. There is a link on the page, but for your convenience I give you the URL in this mail: http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml This one works great for us. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth at impact dot de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi there, Am Montag, 25. August 2003 10:07 schrieb BLeonhardt@analytek.de:
I'm still looking for a rule to block packets content based with ip-tables. ( I understood this "is" stateful inspection ) AFAIK, stateful inspection is inspection on the base of earlier packets, ie TCP flags set and the like. hth dan -- buddha 2.4.20-4GB 10:11am up 2 days 16:54, 3 users,
A few hours ago I read, that it's possible ( with stateful inspection ) to filter by content. Mit freundlichen Grüßen / Best regards Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator Dan Am <suse@dertext.de> schrieb am 25.08.2003 10:13:30:
Hi there, Am Montag, 25. August 2003 10:07 schrieb BLeonhardt@analytek.de:
I'm still looking for a rule to block packets content based with ip-tables. ( I understood this "is" stateful inspection ) AFAIK, stateful inspection is inspection on the base of earlier packets, ie TCP flags set and the like. hth dan -- buddha 2.4.20-4GB 10:11am up 2 days 16:54, 3 users,
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi, BLeonhardt@analytek.de wrote:
I'm still looking for a rule to block packets content based with ip-tables. ( I understood this "is" stateful inspection )
deep duried in the back of my head i have the opinion that filtering packets based on content with iptables is one of the "don'ts". e.g.: http://lists.shorewall.net/pipermail/shorewall-users/2003-January/004782.htm... if you want to filter based on content string, you will need the strings patch for iptables: http://www.netfilter.org/documentation/pomlist/pom-extra.html#string still i suggest that you don't do this with iptables. you could use a tcp proxy with filtering capabilities for this and i'm also quite sure snort could also handle this for you. imho the best solution is to use the suggesting filtering capabilities of MTAs like postfix. If you dont want to play around on your running mailserver, you could redirect mail traffic over to a second new MTA host that does nothing more than filtering out sobig and passing the rest of the mail to your real mailserver. peace, Tom
participants (4)
-
BLeonhardt@analytek.de -
Dan Am -
Thomas Seliger -
Ulrich Roth