Re: Feasability of Protocol Filtering

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Eicke Friedrich <tady@gmx.net>
To: netfilter-devel@lists.netfilter.org
Subject: Re: Feasability of Protocol Filtering
Date: Fri, 25 Apr 2003 11:03:47 +0200	[thread overview]
Message-ID: <3EA8F9F3.4010401@gmx.net> (raw)
In-Reply-To: <20030425083150.GG6439@oknodo.bof.de>


Patrick Schaaf wrote:
>>Identify and DENY SSH traffic regardless of port
> How do you cope with an ftp transfer of a tcpdump capture of some
> earlier SSH traffic?
Hmm, kind of difficult but this depends on the things you know about a 
protocol and of course on luck :-)
If you know the exact position (like the second byte in the payload of 
a packet has to be 0xff) of a characteristic string or pattern of 
bytes you don't need to search the whole packet. If it's not at this 
position it isn't the protocol that you're looking for.
What i mean is that if you transfer a captured ssh-session the chances 
that the characteristic string/pattern/whatever of ssh is at the same 
postion in the ftp transfer as it was in the original ssh connection 
are very low because ftp-data uses bigger packets than ssh.
What you also can do is including packet sizes in your test - for 
example excluding large packets (like ftp-data-packets are) from 
searching for ssh-characteristics.
I know that this was just an example but what i try to say is that if 
you learn much about the protocol an implement everything you know you 
will have a good chance to catch just the things you want to.


Regards,
Eicke.

next prev parent reply	other threads:[~2003-04-25  9:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-22 23:25 Feasability of Protocol Filtering Matt Skidmore
2003-04-25  8:31 ` Patrick Schaaf
2003-04-25  9:03   ` Eicke Friedrich [this message]
2003-04-27 13:09 ` Harald Welte
  -- strict thread matches above, loose matches on Subject: below --
2003-04-23 15:16 Matt Skidmore
2003-04-23 21:15 ` Eicke Friedrich
2003-04-25  9:36   ` Serge Droz
2003-04-23 21:28 Eicke Friedrich
2003-04-23 22:03 ` Matt Skidmore
2003-04-24 20:31   ` Eicke Friedrich
2003-04-23 22:37 ` Martin Josefsson
2003-04-24 12:16   ` Jozsef Kadlecsik
2003-04-24 12:55     ` Martin Josefsson
2003-04-24 19:38   ` Eicke Friedrich
2003-04-24 19:55 ` Filipe Almeida
2003-04-24 20:31   ` Eicke Friedrich
2003-04-26  0:41 Ian Latter
2003-04-26  0:10 ` Matt Skidmore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3EA8F9F3.4010401@gmx.net \
    --to=tady@gmx.net \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.