-m string and RELATED

-m string and RELATED

[Arkadiusz Miskiewicz]

Hi,

I'm trying to log whole stream basing on string match.

iptables -A INPUT -m string --string "xyztest" -j LOG --log-prefix "xyztest: " -m state --state NEW,ESTABLISHED,RELATED 

[misiek@ikar misiek]$ telnet misie.k.pl 25
Trying 156.17.236.105...
Connected to misie.k.pl.
Escape character is '^]'.
220 misie.k.pl ESMTP Exim 4.10 Mon, 04 Nov 2002 11:11:18 +0100
xyztest
500 unrecognized command

- Nov  4 11:11:20 arm kernel: xyztest: IN=eth0 OUT= MAC=00:10:22:fe:5a:91:00:02:44:1f:f3:b4:08:00 SRC=156.17.235.253 DST=156.17.236.105 LEN=61 TOS=0x10 PREC=0x00 TTL=62 ID=53540 DF PROTO=TCP SPT=2637 DPT=25 WINDOW=5840 RES=0x00 ACK PSH URGP=0 
 (logged packet which contains xyztest packet)

tralala
500 unrecognized command

 - nothing logged

Why is this not working - there is ESTABILISHED,RELATED rule - any ideas?
(I have conntrack modules loaded).

-- 
Arkadiusz Mi¶kiewicz    CS at FoE, Wroclaw University of Technology
arekm@sse.pl   AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

Re: -m string and RELATED

[Cedric Blancher]

Le lun 04/11/2002 à 11:14, Arkadiusz Miskiewicz a écrit :
> iptables -A INPUT -m string --string "xyztest" -j LOG --log-prefix "xyztest: " -m state --state NEW,ESTABLISHED,RELATED 
>
> [misiek@ikar misiek]$ telnet misie.k.pl 25
> Trying 156.17.236.105...
> Connected to misie.k.pl.
> Escape character is '^]'.
> 220 misie.k.pl ESMTP Exim 4.10 Mon, 04 Nov 2002 11:11:18 +0100
> xyztest
> 500 unrecognized command
> 
> - Nov  4 11:11:20 arm kernel: xyztest: IN=eth0 OUT= MAC=00:10:22:fe:5a:91:00:02:44:1f:f3:b4:08:00 SRC=156.17.235.253 DST=156.17.236.105 LEN=61 TOS=0x10 PREC=0x00 TTL=62 ID=53540 DF PROTO=TCP SPT=2637 DPT=25 WINDOW=5840 RES=0x00 ACK PSH URGP=0 
>  (logged packet which contains xyztest packet)
> 
> tralala
> 500 unrecognized command
> 
>  - nothing logged
> 
> Why is this not working - there is ESTABILISHED,RELATED rule - any ideas?
> (I have conntrack modules loaded).

I do not see your problem. You want to log packets that :
	. contains string "xyztest"
	AND
	. are NEW, ESTABLISHED or RELATED

The first packet logued matches, but not the second as it does not
contains string "xyztest".

So, WTF ? :)))

If you want to log the whole session that follows a packet containing
string "xyztest", then it will be a little more tricky. You have to use
the patch-o-matic CONNMARK patch (extra section) which provides a target
to set per connection mark, and a connmark match to match against it.

By the way, I did not tested it...

-- 
Cédric Blancher  <blancher@cartel-securite.fr>
Consultant en sécurité des systèmes et réseaux  - Cartel Sécurité
Tél: +33 (0)1 44 06 97 87 - Fax: +33 (0)1 44 06 97 99
PGP KeyID:157E98EE  FingerPrint:FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: -m string and RELATED

[Arkadiusz Miskiewicz]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

Cedric Blancher <blancher@cartel-securite.fr> writes:

> I do not see your problem. You want to log packets that :
> 	. contains string "xyztest"
> 	AND
> 	. are NEW, ESTABLISHED or RELATED
> 
> The first packet logued matches, but not the second as it does not
> contains string "xyztest".
> 
> So, WTF ? :)))
I was thinking about other packets as related to this one with ,,xyztest''
in it because they all come from the same connection.

> If you want to log the whole session that follows a packet containing
> string "xyztest", then it will be a little more tricky. You have to use
> the patch-o-matic CONNMARK patch (extra section) which provides a target
> to set per connection mark, and a connmark match to match against it.
Nice, thanks. That should do it.

> Cédric Blancher  <blancher@cartel-securite.fr>

[-- Attachment #2: Type: text/plain, Size: 145 bytes --]


-- 
Arkadiusz Miśkiewicz    CS at FoE, Wroclaw University of Technology
arekm@sse.pl   AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux

Re: -m string and RELATED

[Antony Stone]

On Monday 04 November 2002 10:14 am, Arkadiusz Miskiewicz wrote:

> Hi,
>
> I'm trying to log whole stream basing on string match.
>
> iptables -A INPUT -m string --string "xyztest" -j LOG --log-prefix
> "xyztest: " -m state --state NEW,ESTABLISHED,RELATED
>
> xyztest
> 500 unrecognized command
>
> - Nov  4 11:11:20 arm kernel: xyztest: IN=eth0 OUT=
> MAC=00:10:22:fe:5a:91:00:02:44:1f:f3:b4:08:00 SRC=156.17.235.253
> DST=156.17.236.105 LEN=61 TOS=0x10 PREC=0x00 TTL=62 ID=53540 DF PROTO=TCP
> SPT=2637 DPT=25 WINDOW=5840 RES=0x00 ACK PSH URGP=0 (logged packet which
> contains xyztest packet)
>
> tralala
> 500 unrecognized command
>
>  - nothing logged
>
> Why is this not working - there is ESTABILISHED,RELATED rule - any ideas?

It is working.

Every packet which comes in to the machine is tested against the rules in the 
INPUT chain, and if the conditions match, then the target is triggered.

Your rule says "if the packet contains the string xyztest and is state new, 
established, or related, then log the packet with prefix xyztest".

Therefore all packets which contain the string xyztest and which are new, 
established or related will get logged.

If a packet doesn't contain the string xyztest it won't match the test and it 
won't get logged.

Keep in mind that iptables is a packet filtering firewall.   It examines each 
packet independently.

Antony.

-- 

It is also possible that putting the birds in a laboratory setting
inadvertently renders them relatively incompetent.

 - Daniel C Dennett