examining data portion of packet

All of lore.kernel.org
 help / color / mirror / Atom feed

* examining data portion of packet
@ 2004-03-24  5:45 Sandy C
  2004-03-24  7:18 ` Ray Leach
  2004-03-24 11:50 ` John A. Sullivan III
  0 siblings, 2 replies; 7+ messages in thread
From: Sandy C @ 2004-03-24  5:45 UTC (permalink / raw)
  To: netfilter

   I would like to be able to be able to examine the
data portion of a network packet after matching it. 

   I figured there would be some kind of target for
this, but there isn't...or at least I couldn't find
any.

   What is the best way to go about this? Should I be
thinking of writing a target extension?

Thanks!
S C

__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24  5:45 examining data portion of packet Sandy C
@ 2004-03-24  7:18 ` Ray Leach
  2004-03-24  8:59   ` Frederic de Villamil
  2004-03-24 11:50 ` John A. Sullivan III
  1 sibling, 1 reply; 7+ messages in thread
From: Ray Leach @ 2004-03-24  7:18 UTC (permalink / raw)
  To: Netfilter Mailing List

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Wed, 2004-03-24 at 07:45, Sandy C wrote:
>    I would like to be able to be able to examine the
> data portion of a network packet after matching it. 
> 
>    I figured there would be some kind of target for
> this, but there isn't...or at least I couldn't find
> any.
> 
>    What is the best way to go about this? Should I be
> thinking of writing a target extension?
> 
You could use something like ntop or tcpdump.

> Thanks!
> S C
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24  7:18 ` Ray Leach
@ 2004-03-24  8:59   ` Frederic de Villamil
  0 siblings, 0 replies; 7+ messages in thread
From: Frederic de Villamil @ 2004-03-24  8:59 UTC (permalink / raw)
  To: Ray Leach; +Cc: Netfilter Mailing List


> On Wed, 2004-03-24 at 07:45, Sandy C wrote:
>>    I would like to be able to be able to examine the
>> data portion of a network packet after matching it.
>>
>>    I figured there would be some kind of target for
>> this, but there isn't...or at least I couldn't find
>> any.
>>
>>    What is the best way to go about this? Should I be
>> thinking of writing a target extension?
>>
> You could use something like ntop or tcpdump.
>
>> Thanks!
>> S C

Hi,
maybe you should try ethereal. It has some very powerfull filtering
functions that may fit your needs.

-- 
Frédéric de Villamil.
Président Epitanime
Amez vos ennemis; ce n'est pas facile, mais ca va les emmerder.
neuro@seclab.jp                             http://www.seclab.jp


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24  5:45 examining data portion of packet Sandy C
  2004-03-24  7:18 ` Ray Leach
@ 2004-03-24 11:50 ` John A. Sullivan III
  2004-03-24 17:22   ` Sandy C
  1 sibling, 1 reply; 7+ messages in thread
From: John A. Sullivan III @ 2004-03-24 11:50 UTC (permalink / raw)
  To: Sandy C; +Cc: netfilter

On Wed, 2004-03-24 at 00:45, Sandy C wrote:
>    I would like to be able to be able to examine the
> data portion of a network packet after matching it. 
> 
>    I figured there would be some kind of target for
> this, but there isn't...or at least I couldn't find
> any.
> 
>    What is the best way to go about this? Should I be
> thinking of writing a target extension?
<snip>
It depends on what you want to do.  What do you want to do with the
information?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24 11:50 ` John A. Sullivan III
@ 2004-03-24 17:22   ` Sandy C
  2004-03-24 19:57     ` John A. Sullivan III
  2004-03-25 19:53     ` Michael Rash
  0 siblings, 2 replies; 7+ messages in thread
From: Sandy C @ 2004-03-24 17:22 UTC (permalink / raw)
  To: netfilter

I'd like to be able to examine the network data, and
if the data (not the header info) matches certain
criteria, I want to perform certain actions. Its not
clear to me what those actions might be yet.

S C 

--- "John A. Sullivan III"
<john.sullivan@nexusmgmt.com> wrote:
> On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> >    I would like to be able to be able to examine
> the
> > data portion of a network packet after matching
> it. 
> > 
..
> >    What is the best way to go about this? Should I
> be
> > thinking of writing a target extension?
> <snip>
> It depends on what you want to do.  What do you want
> to do with the
> information?
> -- 
> John A. Sullivan III


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24 17:22   ` Sandy C
@ 2004-03-24 19:57     ` John A. Sullivan III
  2004-03-25 19:53     ` Michael Rash
  1 sibling, 0 replies; 7+ messages in thread
From: John A. Sullivan III @ 2004-03-24 19:57 UTC (permalink / raw)
  To: Sandy C; +Cc: netfilter

Have you looked at Snort - http://www.snort.org
that will allow you to look for patterns in the application layer
payload - John

On Wed, 2004-03-24 at 12:22, Sandy C wrote:
> I'd like to be able to examine the network data, and
> if the data (not the header info) matches certain
> criteria, I want to perform certain actions. Its not
> clear to me what those actions might be yet.
> 
> S C 
> 
> --- "John A. Sullivan III"
> <john.sullivan@nexusmgmt.com> wrote:
> > On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> > >    I would like to be able to be able to examine
> > the
> > > data portion of a network packet after matching
> > it. 
> > > 
> ..
> > >    What is the best way to go about this? Should I
> > be
> > > thinking of writing a target extension?
> > <snip>
> > It depends on what you want to do.  What do you want
> > to do with the
> > information?
> > -- 
> > John A. Sullivan III
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: examining data portion of packet
  2004-03-24 17:22   ` Sandy C
  2004-03-24 19:57     ` John A. Sullivan III
@ 2004-03-25 19:53     ` Michael Rash
  1 sibling, 0 replies; 7+ messages in thread
From: Michael Rash @ 2004-03-25 19:53 UTC (permalink / raw)
  To: Sandy C; +Cc: netfilter

On Mar 24, 2004, Sandy C wrote:

> I'd like to be able to examine the network data, and
> if the data (not the header info) matches certain
> criteria, I want to perform certain actions. Its not
> clear to me what those actions might be yet.

Sounds like you may be looking for an "active response" capability.
Here are three pieces of software that can react based on
application layer data:

snortsam:       http://www.snortsam.net/
fwsnort:        http://www.cipherdyne.org/fwsnort/
snort_inline:   http://snort-inline.sourceforge.net/

Deploying such functionality essentially give the capability to the
network of reconfiguring itself based on signatures that can easily
generate false positives!  You have been warned.

--Mike

Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F


> --- "John A. Sullivan III"
> <john.sullivan@nexusmgmt.com> wrote:
> > On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> > >    I would like to be able to be able to examine
> > the
> > > data portion of a network packet after matching
> > it. 
> > > 
> ..
> > >    What is the best way to go about this? Should I
> > be
> > > thinking of writing a target extension?
> > <snip>
> > It depends on what you want to do.  What do you want
> > to do with the
> > information?
> > -- 
> > John A. Sullivan III
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2004-03-25 19:53 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-24  5:45 examining data portion of packet Sandy C
2004-03-24  7:18 ` Ray Leach
2004-03-24  8:59   ` Frederic de Villamil
2004-03-24 11:50 ` John A. Sullivan III
2004-03-24 17:22   ` Sandy C
2004-03-24 19:57     ` John A. Sullivan III
2004-03-25 19:53     ` Michael Rash

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.