[ale] Iptables/multiple web servers

Bob Toxen bob at verysecurelinux.com
Fri Oct 3 21:50:45 EDT 2003


On Fri, Oct 03, 2003 at 12:20:01PM -0600, Chris Egolf wrote:
> Chris Egolf wrote:
> >1) There's an 'experimental' plugin for iptables that can examine 
> >packets for arbitrary text.  I forget what it's called, and it may even 
> >be part of the standard package now.  I can't find my reference to it at 
> >the moment. Sorry.

> Here it is, from the netfilter Patch-O-Matic page:

> http://www.netfilter.org/documentation/pomlist/pom-extra.html#string
Due to data streams getting broken up at somewhat arbitrary points, this
may not be the best way to scan for text.  Even scanning for a phrase
occasionally fail because it gets split in the middle between two packets.

Snort is designed to handle these sorts of problems well.  Have a look at
it.

> ============================================================================
>                                Chris Egolf
>              http://www.ugholf.net     cegolf at ugholf.net
> ============================================================================

Bob Toxen
bob at verysecurelinux.com               [Please use for email to me]
http://www.verysecurelinux.com        [Network&Linux/Unix security consulting]
http://www.realworldlinuxsecurity.com [My book:"Real World Linux Security 2/e"]
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.

"Microsoft: Unsafe at any clock speed!"
   -- Bob Toxen 10/03/2002



More information about the Ale mailing list