* running commands when packet matched
@ 2005-12-03 22:39 James Rhett Aultman
2005-12-04 0:11 ` Eric Leblond
0 siblings, 1 reply; 4+ messages in thread
From: James Rhett Aultman @ 2005-12-03 22:39 UTC (permalink / raw)
To: netfilter
Dear Netfilter users,
I'm trying to put together a prototype for a project at the moment and
I'm trying to think about the proper architecture to use for it.
Basically, I need to be able to run a certain program when a given
machine sees certain kinds of traffic coming across it. I'm looking
into doing this with iptables, but the tutorials I've read don't cover
cases like mine. Again, to explain the mechanism I need: when the
machine encounters a packet matching a rule, I want the machine to run a
specific program and drop the packet.
Is something like this possible using iptables or another netfilter project?
--
Rhett.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: running commands when packet matched
2005-12-03 22:39 running commands when packet matched James Rhett Aultman
@ 2005-12-04 0:11 ` Eric Leblond
2005-12-05 17:26 ` Georgi Alexandrov
0 siblings, 1 reply; 4+ messages in thread
From: Eric Leblond @ 2005-12-04 0:11 UTC (permalink / raw)
To: James Rhett Aultman; +Cc: netfilter
[-- Attachment #1: Type: text/plain, Size: 832 bytes --]
On Sat, 2005-12-03 at 17:39 -0500, James Rhett Aultman wrote:
> Dear Netfilter users,
>
> Again, to explain the mechanism I need: when the
> machine encounters a packet matching a rule, I want the machine to run a
> specific program and drop the packet.
>
> Is something like this possible using iptables or another netfilter project?
Yes, just use the QUEUE or NFQUEUE target. This send packet to userspace
and there you can do what you want. In your case, match and accept the
packets and then a match is done, do your job ....
If you need some code example, you can have a look at NuFW :
http://www.nufw.org/
By the way, you could also have a look at ulogd2 which brings some
features that may interest you :
http://svn.gnumonks.org/branches/ulog/ulogd2/
BR,
--
Eric Leblond <eric@inl.fr>
INL
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: running commands when packet matched
2005-12-04 0:11 ` Eric Leblond
@ 2005-12-05 17:26 ` Georgi Alexandrov
2005-12-05 17:48 ` James Rhett Aultman
0 siblings, 1 reply; 4+ messages in thread
From: Georgi Alexandrov @ 2005-12-05 17:26 UTC (permalink / raw)
To: netfilter
Eric Leblond wrote:
>On Sat, 2005-12-03 at 17:39 -0500, James Rhett Aultman wrote:
>
>
>>Dear Netfilter users,
>>
>> Again, to explain the mechanism I need: when the
>>machine encounters a packet matching a rule, I want the machine to run a
>>specific program and drop the packet.
>>
>>Is something like this possible using iptables or another netfilter project?
>>
>>
>
>Yes, just use the QUEUE or NFQUEUE target. This send packet to userspace
>and there you can do what you want. In your case, match and accept the
>packets and then a match is done, do your job ....
>
>If you need some code example, you can have a look at NuFW :
> http://www.nufw.org/
>
>By the way, you could also have a look at ulogd2 which brings some
>features that may interest you :
> http://svn.gnumonks.org/branches/ulog/ulogd2/
>
>
>BR,
>
>
But actually the truth is that this a job for a IDS/IPS such as
Snort(.org), not netfilter.
A cite from: http://www.snort.org/docs/faq/1Q05/node91.html
" But one caveat... running external binaries can also be a performance
limiter and your should read the caution below...
CHRISTOPHER CRAMER wrote:
I'm sure this has been mentioned before in similar discussions, but
this feels like a _really_ bad idea. What if the bad guys realize
what is going on and make use of your blocking method as a DoS
attack. All one would have to do start sending a series of
triggering packets with spoofed IP addresses.
Since I am no longer interested in breaking into your site, but
rather making your life hell, I don't worry about the resulting data
getting back to me. All I have to do is start proceeding up a list
of IP addresses that I think you should no longer be able to talk
to. When you come in the next morning, you find that you can no
longer access the world.
Just my $0.02.
Danger Will Robinson: Conventional wisdom says that auto-blocking is
inherently dangerous."
Enjoy! :-)
Georgi Alexandrov
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: running commands when packet matched
2005-12-05 17:26 ` Georgi Alexandrov
@ 2005-12-05 17:48 ` James Rhett Aultman
0 siblings, 0 replies; 4+ messages in thread
From: James Rhett Aultman @ 2005-12-05 17:48 UTC (permalink / raw)
To: Georgi Alexandrov, netfilter
Georgi Alexandrov wrote:
> Danger Will Robinson: Conventional wisdom says that auto-blocking is
> inherently dangerous."
Actually, for what I'm trying to do, switching to userspace is probably
not that dangerous. The reason is because I am trying to match one
packet, then the rule for the matching is actually switched off. In
other words, I want to match a single packet, run some user code, then
remove the rule for matching that packet. Given this, I can't see how
the scenario you've laid out would be that big of a threat.
--
Rhett.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-12-05 17:48 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-03 22:39 running commands when packet matched James Rhett Aultman
2005-12-04 0:11 ` Eric Leblond
2005-12-05 17:26 ` Georgi Alexandrov
2005-12-05 17:48 ` James Rhett Aultman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.