filtering HTTP signatures/headers ?

filtering HTTP signatures/headers ?

[S t i n g r a y]

Is it possible to filter HTTP signatures/headers with
Iptables ? or is there addon for it ?

take care

*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
              



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: filtering HTTP signatures/headers ?

[Rob Sterenborg]

On Wed, March 1, 2006 12:45, S t i n g r a y wrote:
> Is it possible to filter HTTP signatures/headers with
> Iptables ? or is there addon for it ?

You may be able to use the String match but you can only filter the payload of
1 packet at a time : if a signature/header spans multiple packets then it
won't work.

Netfilter is not meant to do content filtering. Perhaps you can use Squid.


Gr,
Rob

Re: filtering HTTP signatures/headers ?

[S t i n g r a y]

will it filter out HTTP tunneling also ?



--- Rob Sterenborg <rob@sterenborg.info> wrote:

> 
> On Wed, March 1, 2006 12:45, S t i n g r a y wrote:
> > Is it possible to filter HTTP signatures/headers
> with
> > Iptables ? or is there addon for it ?
> 
> You may be able to use the String match but you can
> only filter the payload of
> 1 packet at a time : if a signature/header spans
> multiple packets then it
> won't work.
> 
> Netfilter is not meant to do content filtering.
> Perhaps you can use Squid.
> 
> 
> Gr,
> Rob
> 
> 
> 
> 


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
              



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: filtering HTTP signatures/headers ?

[Rob Sterenborg]

On Wed, March 1, 2006 16:40, S t i n g r a y wrote:
> will it filter out HTTP tunneling also ?

Do you mean you have a VPN tunnel which transfers http, or what ? If that is
the case, I don't think so ; Squid can only inspect traffic that it can see of
course. However, if the Squid-box is at the end of the tunnel you may be able
to do it.
But maybe I don't understand correctly what problem you are trying to solve.


Gr,
Rob

> --- Rob Sterenborg <rob@sterenborg.info> wrote:
>> On Wed, March 1, 2006 12:45, S t i n g r a y wrote:
>> > Is it possible to filter HTTP signatures/headers
>> > with Iptables ? or is there addon for it ?
>>
>> You may be able to use the String match but you can
>> only filter the payload of 1 packet at a time : if a
>> signature/header spans multiple packets then it
>> won't work.
>>
>> Netfilter is not meant to do content filtering.
>> Perhaps you can use Squid.
>>
>>
>> Gr,
>> Rob

Re: filtering HTTP signatures/headers ?

[S t i n g r a y]

The problem is that , i have a proxy/firewall box that
provides internet to my internal users, now i have
only permitted the common ports like
ftp,http,smtp,pop3 etc etc & blocked all other , now
there are couple of p2p applications out there that
tunnel through my port 80 as its open, this is taking
up my internet bandwith, i want to stop that ...

  regards


--- Rob Sterenborg <rob@sterenborg.info> wrote:

> On Wed, March 1, 2006 16:40, S t i n g r a y wrote:
> > will it filter out HTTP tunneling also ?
> 
> Do you mean you have a VPN tunnel which transfers
> http, or what ? If that is
> the case, I don't think so ; Squid can only inspect
> traffic that it can see of
> course. However, if the Squid-box is at the end of
> the tunnel you may be able
> to do it.
> But maybe I don't understand correctly what problem
> you are trying to solve.
> 
> 
> Gr,
> Rob
> 
> > --- Rob Sterenborg <rob@sterenborg.info> wrote:
> >> On Wed, March 1, 2006 12:45, S t i n g r a y
> wrote:
> >> > Is it possible to filter HTTP
> signatures/headers
> >> > with Iptables ? or is there addon for it ?
> >>
> >> You may be able to use the String match but you
> can
> >> only filter the payload of 1 packet at a time :
> if a
> >> signature/header spans multiple packets then it
> >> won't work.
> >>
> >> Netfilter is not meant to do content filtering.
> >> Perhaps you can use Squid.
> >>
> >>
> >> Gr,
> >> Rob
> 
> 
> 
> 


*º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
              



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2006.03.01 23:04, S t i n g r a y - fasi_74@yahoo.com wrote:
> The problem is that , i have a proxy/firewall box that
> provides internet to my internal users, now i have
> only permitted the common ports like
> ftp,http,smtp,pop3 etc etc & blocked all other , now
> there are couple of p2p applications out there that
> tunnel through my port 80 as its open, this is taking
> up my internet bandwith, i want to stop that ...

Well, then what Rob said before applies.
Netfilter is not good for solving this problem.
Squid is reputed to be very good for this problem.

Regards,

Jim

> 
>   regards
> 
> 
> --- Rob Sterenborg <rob@sterenborg.info> wrote:
> 
> > On Wed, March 1, 2006 16:40, S t i n g r a y wrote:
> > > will it filter out HTTP tunneling also ?
> >
> > Do you mean you have a VPN tunnel which transfers
> > http, or what ? If that is
> > the case, I don't think so ; Squid can only inspect
> > traffic that it can see of
> > course. However, if the Squid-box is at the end of
> > the tunnel you may be able
> > to do it.
> > But maybe I don't understand correctly what problem
> > you are trying to solve.
> >
> >
> > Gr,
> > Rob
> >
> > > --- Rob Sterenborg <rob@sterenborg.info> wrote:
> > >> On Wed, March 1, 2006 12:45, S t i n g r a y
> > wrote:
> > >> > Is it possible to filter HTTP
> > signatures/headers
> > >> > with Iptables ? or is there addon for it ?
> > >>
> > >> You may be able to use the String match but you
> > can
> > >> only filter the payload of 1 packet at a time :
> > if a
> > >> signature/header spans multiple packets then it
> > >> won't work.
> > >>
> > >> Netfilter is not meant to do content filtering.
> > >> Perhaps you can use Squid.
> > >>
> > >>
> > >> Gr,
> > >> Rob
> >
> >
> >
> >
> 
> 
> *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
> 
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> 
> 
>

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: filtering HTTP signatures/headers ? (nfcan: addressed to exclusive sender for this address)

[Rob Sterenborg]

On Thu, March 2, 2006 06:37, Jim Laurino wrote:
> On 2006.03.01 23:04, S t i n g r a y - fasi_74@yahoo.com wrote:
>> The problem is that , i have a proxy/firewall box that
>> provides internet to my internal users, now i have
>> only permitted the common ports like
>> ftp,http,smtp,pop3 etc etc & blocked all other , now
>> there are couple of p2p applications out there that
>> tunnel through my port 80 as its open, this is taking
>> up my internet bandwith, i want to stop that ...
>
> Well, then what Rob said before applies.
> Netfilter is not good for solving this problem.
> Squid is reputed to be very good for this problem.

AFAIK squid will not proxy P2P traffic, however, this could be of help :
http://www.netfilter.org/projects/patch-o-matic/pom-extra.html#pom-extra-ipp2p

The example says :
iptables -A FORWARD -m ipp2p --edk --kazaa --bit -j DROP

But maybe you can also use it as :
iptables -A FORWARD -m ipp2p -j DROP


Gr,
Rob


>>   regards
>>
>>
>> --- Rob Sterenborg <rob@sterenborg.info> wrote:
>>
>> > On Wed, March 1, 2006 16:40, S t i n g r a y wrote:
>> > > will it filter out HTTP tunneling also ?
>> >
>> > Do you mean you have a VPN tunnel which transfers
>> > http, or what ? If that is
>> > the case, I don't think so ; Squid can only inspect
>> > traffic that it can see of
>> > course. However, if the Squid-box is at the end of
>> > the tunnel you may be able
>> > to do it.
>> > But maybe I don't understand correctly what problem
>> > you are trying to solve.
>> >
>> >
>> > Gr,
>> > Rob
>> >
>> > > --- Rob Sterenborg <rob@sterenborg.info> wrote:
>> > >> On Wed, March 1, 2006 12:45, S t i n g r a y
>> > wrote:
>> > >> > Is it possible to filter HTTP
>> > signatures/headers
>> > >> > with Iptables ? or is there addon for it ?
>> > >>
>> > >> You may be able to use the String match but you
>> > can
>> > >> only filter the payload of 1 packet at a time :
>> > if a
>> > >> signature/header spans multiple packets then it
>> > >> won't work.
>> > >>
>> > >> Netfilter is not meant to do content filtering.
>> > >> Perhaps you can use Squid.
>> > >>
>> > >>
>> > >> Gr,
>> > >> Rob
>> >
>> >
>> >
>> >
>>
>>
>> *º¤., ¸¸,.¤º*¨¨¨*¤ Stingray *º¤., ¸¸,.¤º*¨¨*¤
>>
>>
>>
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam?  Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>>
>>
>>
>
> --
> Jim Laurino
> nfcan.x.jimlaur@dfgh.net
> Please reply to the list.
> Only mail from the listserver reaches this address.
>
>


-- 
"Inspraak zonder inzicht resulteert in uitspraak zonder uitzicht."

Re: filtering HTTP signatures/headers ?

[Oleg]

> now
> there are couple of p2p applications out there that
> tunnel through my port 80 as its open, this is taking
> up my internet bandwith, i want to stop that ...
To detect p2p try:
- iptables-p2p (mega.ist.utl.pt/~filipe/iptables-p2p/)
- ipp2p (check latest patch-o-matic-ng)
- l7-filter (l7-filter.sf.net)

-- 
Best regards, Oleg