Re: Re: AW: Re: AW: [suse-security] IPTables and filtering Traffic based on content ( e.g. sobig )
I'm looking for possibility to look into the data with ip-tables. not proxies or anything - proxies are too slow ... imho Mit freundlichen Grüßen / Best regards Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator "Bodo Hoffmann" <hoffmann@itfuture.de> schrieb am 25.08.2003 11:23:06:
One question to all those who are using IPTables to filter out patterns in traffic ....
HOW ??
IPTables is ( and please correct me if I am wrong ) a packet-filter with the ability to store the states of a connection and use them to increase the range of the rules used to filter packages .. a stateful inspection packetfilter .. ( works on ISO/OSI Layer 4/5 )
YOU are looking for an application level firewall ( e.g. a proxy ) which works on ISO/OSI Layer 7 ( Application ) and will be able to look INTO the package .. this can be done by mailfilters, virus- scanners, proxies etc...
You can use IPTables to forward those ports ( eg. 25 SMTP ) to those filters or use IPTables to block traffic which is sent over specific ports the virus uses to spread/communicate, but not use IPTables to SCAN for CONTENTpatterns.... !!!! ( Maybe the name packetfilter firewall is a bit confusing .. )
Bodo Hoffmann
----- Original Message ----- From: <BLeonhardt@analytek.de> To: "suse-sec" <suse-security@suse.com> Sent: Monday, August 25, 2003 11:02 AM Subject: Re: AW: Re: AW: [suse-security] IPTables and filtering Traffic based on content ( e.g. sobig )
Philipp - could you please give me a hint how to build the rule for the pattern to filter out ???
Mit freundlichen Grüßen / Best regards Bruno Leonhardt
LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator
"mailinglists" <mailinglists@belfin.ch> schrieb am 25.08.2003 10:50:21:
A few hours ago I read, that it's possible ( with stateful inspection ) to filter by content.
Yes, it is. I filter code red that way. But to do so, you need to know
the pattern.
I googled for it but could not find anything.
Philipp
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
---- Start SpamAssassin results -12.60 points, 6 required; * 1.0 -- From: does not include a real name * -3.2 -- Has a In-Reply-To header * -0.6 -- BODY: Contains twice quoted reply * -6.6 -- BODY: Bayesian classifier says spam probability is 1 to 10% [score: 0.0138] * -3.2 -- BODY: Contains what looks like a quoted email text
---- End of SpamAssassin results
I'm looking for possibility to look into the data with ip-tables. not proxies or anything - proxies are too slow ... imho That may be, but have you considered that iptables let you work on packets and that the string you are looking for can easily be broken into two parts: one half at the end of one packet, the other hals at the beginning of the next. Simply filtering with iptables for a string will do so without any regard for the context of that string. Consider receiving a virus warning Email with "do not open any .pif attachments".
If you still want to persue this path, you could consider experimenting with user-space filering. You'll find that in the kernel config menu. I've not got any experience with that personally, and have no plans in that direction either. Peter Oh, and one more thing:
Mit freundlichen Grüßen / Best regards [ SNIP SNIP SNIP ]
Try to quote a little bit more friendly next time.
Hi folks, BLeonhardt@analytek.de wrote:
I'm looking for possibility to look into the data with ip-tables. not proxies or anything - proxies are too slow ... imho
then you are wrong imho, its alot about configuration. using the string filtering in iptables is possible, but this will eat speed as a proxy will. looking at commercial products like GeNUGate the use of proxies is quite common. on a GeNUGate (basically an intel bsd system) every connection goes over a proxy and its not slow. also its considered wise to seperate packet filtering and application level gateways. i guess thats just blahblah of security guys, well.
if somebody is interested of the definition of Stateful Inspection I could send you a Sheet by Checkpoint ( they developed stateful inspection ) where exactly is defined what stateful inspection is - and what it does.
So Checkpoint has the patent on whats statefull an what is not ;)? btw. filtering *single* packets based on strings that are contained with in is not statefull, and has nothing to do with statefullness, since only this packet is inspected. If you would drop/disallow a connection based on keywords, this would be statefull. Ooops thats what a proxy/application level filter does for you :) another issue (and im not sure about this, somebody with more knowledge is invited to jump in): if you drop *single* packets out of a stream of packets, what happens? lets say you drop the third packet because it matches the keyword. would the sender not try to resend the packet because he gets no ACK for it? And based on the implementation try to resend it again until it times out? This would result in increased network traffic? peace, Tom
Hi , so, I guess it's possible to put all related packets into a user-space , merging all packets / or better fragments together and look for the string, then deciding if dropping or not. So the http or any other connection oriented server should get its ACK and the firewall will decide if dropping the packets or not. This will not increase the network traffic - but the requirements onto the hardware. Am I wrong ??? Greetings, Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator Thomas Seliger <CRJLJAKTJORB@spammotel.com> schrieb am 25.08.2003 14:41:52:
Hi folks,
[snip]
if you drop *single* packets out of a stream of packets, what happens? lets say you drop the third packet because it matches the keyword. would
the sender not try to resend the packet because he gets no ACK for it? And based on the implementation try to resend it again until it times out? This would result in increased network traffic?
peace, Tom
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi again, BLeonhardt@analytek.de wrote:
so, I guess it's possible to put all related packets into a user-space , merging all packets / or better fragments together and look for the string, then deciding if dropping or not. So the http or any other connection oriented server should get its ACK and the firewall will decide if dropping the packets or not. This will not increase the network traffic - but the requirements onto the hardware.
you are suggesting to write a userspace daemon that queues the packets of a connection, evaluates the content and takes actions like allowing it to pass through or denying/dropping it, right? you, sir, are talking about a proxy/application level gateway ;) peace, Tom
Hi again,
BLeonhardt@analytek.de wrote:
so, I guess it's possible to put all related packets into a user-space , merging all packets / or better fragments together and look for the string, then deciding if dropping or not. So the http or any other connection oriented server should get its ACK and the firewall will decide if dropping the packets or not. This will not increase the network
Not directly - with ALGs the packets have to go throught the whole OSI Model - if you're catching this packtes at Level 4 - and look into the string - this would be much faster, wouldn't it ? cheers, Bruno Leonhardt LPI Level 1 Certified Watchguard Certified System Professional CLP Domino R5 Systemadministrator Thomas Seliger <CRJLJAKTJORB@spammotel.com> schrieb am 25.08.2003 18:15:37: traffic
- but the requirements onto the hardware.
you are suggesting to write a userspace daemon that queues the packets of a connection, evaluates the content and takes actions like allowing it to pass through or denying/dropping it, right?
you, sir, are talking about a proxy/application level gateway ;)
peace, Tom
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
BLeonhardt@analytek.de -
Peter van den Heuvel -
Thomas Seliger