Did a quick search on the netfilter site and this is what I found
regarding the match string module
Last days I often see below messages in Apache log files:
1.1.1.1 - - [09/Jul/2003:17:32:00+0200] "POST
http://11.1.106.18:25/ HTTP/1.1" 200 475 > "-" "-"
3.18 string patch
This patch by Emmanuel Roger adds a new match
that allows you to match a string anywhere in the packet.
For example, to match packets containing the string ``cmd.exe'' anywhere
in the packet and queue them to a userland IDS, you could use :
# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE
# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
QUEUE all -- anywhere anywhere STRING match
cmd.exe
Please do use this match with caution. A lot of people want to use this
match to stop worms, along with the DROP target. This is a major
mistake. It would be defeated by any IDS evasion method.
In a similar fashion, a lot of people have been using this match as a
mean to stop particular functions in HTTP like POST or GET by dropping
any HTTP packet containing the string POST. Please understand that this
job is better done by a filtering proxy. Additionally, any HTML content
with the word POST would get dropped with the former method. This match
has been designed to be able to queue to userland interesting packets
for better analysis, that's all. Dropping packet based on this would be
defeated by any IDS evasion method.
Supported options for the string match are :
--string [!] string
-> Match a string in a packet
