[ale] Iptables/multiple web servers
Bob Toxen
bob at verysecurelinux.com
Fri Oct 3 21:50:45 EDT 2003
On Fri, Oct 03, 2003 at 12:20:01PM -0600, Chris Egolf wrote:
> Chris Egolf wrote:
> >1) There's an 'experimental' plugin for iptables that can examine
> >packets for arbitrary text. I forget what it's called, and it may even
> >be part of the standard package now. I can't find my reference to it at
> >the moment. Sorry.
> Here it is, from the netfilter Patch-O-Matic page:
> http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Due to data streams getting broken up at somewhat arbitrary points, this
may not be the best way to scan for text. Even scanning for a phrase
occasionally fail because it gets split in the middle between two packets.
Snort is designed to handle these sorts of problems well. Have a look at
it.
> ============================================================================
> Chris Egolf
> http://www.ugholf.net cegolf at ugholf.net
> ============================================================================
Bob Toxen
bob at verysecurelinux.com [Please use for email to me]
http://www.verysecurelinux.com [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
"Microsoft: Unsafe at any clock speed!"
-- Bob Toxen 10/03/2002
More information about the Ale
mailing list