[LARTC] layer-7 filtering is possible in linux ?

[LARTC] layer-7 filtering is possible in linux ?

[openings]

Dear folks


With U32 filter, I can filter packets with it's packet header.

In linux, I wonder if Layer-7 filtering is possible.

I want to filter packets that include specific pattern in it's payload(not header, data part).

ex) Packets that include "aaa.exe" text pattern in it's data part.

If it is possible, mail traffic that include specific text pattern can be filtered.

I thought that above function is very useful.

In Linux, is it possible?

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿË\x01\x14™¨¥Šx%ŠË\x7f,\x04S\vùšŠYšŸ÷lõ¯ç–^[m§ÿÿ™¨¥™©ÿvÏZşy\x7f™¨¥™©ÿ–+-ŠwèşV«µÁÎY3ÿ†Ûiÿÿåj»\şŠà

Re: [LARTC] layer-7 filtering is possible in linux ?

[Stef Coene]

On Friday 02 May 2003 17:58, openings wrote:
> Dear folks
>
>
> With U32 filter, I can filter packets with it's packet header.
>
> In linux, I wonder if Layer-7 filtering is possible.
>
> I want to filter packets that include specific pattern in it's payload(not
> header, data part).
>
> ex) Packets that include "aaa.exe" text pattern in it's data part.
>
> If it is possible, mail traffic that include specific text pattern can be
> filtered.
>
> I thought that above function is very useful.
>
> In Linux, is it possible?
Iptables can filter based on text in a packet.  At the same time, you can mark 
the packet and that mark can be used with the fw filter.

Stef


-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] layer-7 filtering is possible in linux ?

[Craig Kelley]

Or hogwash (http://hogwash.sf.net), which is designed to do that sort of
thing.

Logu said:
> Use squid.
>
>> In linux, I wonder if Layer-7 filtering is possible.
>>
>> I want to filter packets that include specific pattern in it's
>> payload(not
> header, data part).
>>
>> ex) Packets that include "aaa.exe" text pattern in it's data part.
>>
>> If it is possible, mail traffic that include specific text pattern can
>> be
> filtered.
>>
>> I thought that above function is very useful.
>>
>> In Linux, is it possible?
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>


--
Craig Kelley
In-Store Broadcasting Network
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] layer-7 filtering is possible in linux ?

[Logu]

Use squid.

> In linux, I wonder if Layer-7 filtering is possible.
>
> I want to filter packets that include specific pattern in it's payload(not
header, data part).
>
> ex) Packets that include "aaa.exe" text pattern in it's data part.
>
> If it is possible, mail traffic that include specific text pattern can be
filtered.
>
> I thought that above function is very useful.
>
> In Linux, is it possible?


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] layer-7 filtering is possible in linux ?

[Ethan Sommer]

I had actually hoped to wait about a week before announcing this, since 
we aren't _quite_ ready to post the code yet, but since you asked....

take a look at http://l7-filter.sourceforge.net/

We've implemented a layer7 filter which takes regular expressions as 
patterns and integrates fully into the Linux QoS structure. (it uses tc, 
etc..) In our tests it seems to perform quite well. (although there are 
still a few bugs to run down, but I hope we'll have them nailed down by 
Friday or so...)

Here's the general structure of how we hope to release the code, just as 
a sneak peak: (from our web page)

Our goal is go create a filter to classify packets based on application 
(or "layer 7") data. This means that will will be able to classify 
packets as HTTP, FTP, Gnucleus, etc, regardless of what port the 
services are run on. Our filter will complement existing filters that 
classify based on route, port numbers and so on.

Our project has three subparts:

   1. A patch to the Linux kernel. This code does the actual classification.
   2. A patch to the "tc" (traffic control) program. This program tells
      the kernel how to filter.
   3. A file with protocol definitions which tells the kernel what we
      mean when we say "HTTP". This file is fed to the kernel via /proc.

The hope is that for the third part, we can get a lot of comminuty help. 
The initial release will come with some protocol definitions as examples 
(HTTP, POP, FTP etc...) but, since anyone with tcpdump (or who turns on 
a flag in our code) can observe a protocol stream, and I'm sure many of 
you understand basic regular expressions, I hope that we can quickly 
build up a protocol definition library which rivals some of the 
commercial packet-shaping options.

I'll keep you all posted as we release our first code (almost certainly 
later in the week)



>In linux, I wonder if Layer-7 filtering is possible.
>
>  
>

so the answer is... yes, and you can do it too in about a week.

Ethan Sommer




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] layer-7 filtering is possible in linux ?

[james jones]

~The hope is that for the third part, we can get a lot of comminuty
~help. 
~The initial release will come with some protocol definitions as
~examples 
~(HTTP, POP, FTP etc...) but, since anyone with tcpdump (or who turns
~on 
~a flag in our code) can observe a protocol stream, and I'm sure many
~of 
~you understand basic regular expressions, I hope that we can quickly

~build up a protocol definition library which rivals some of the 
~commercial packet-shaping options.

Have you thought about using the definitions that are in the Ethereal
project???

~I'll keep you all posted as we release our first code (almost
~certainly 
~later in the week)

That would be GREAAT.

~>In linux, I wonder if Layer-7 filtering is possible.

~so the answer is... yes, and you can do it too in about a week.

~Ethan Sommer

James Jones
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] layer-7 filtering is possible in linux ?

[N N Ashok]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 02 May 2003 13:05, Stef Coene scrawled:
> On Friday 02 May 2003 17:58, openings wrote:
> > Dear folks
> >
> >
> > With U32 filter, I can filter packets with it's packet header.
> >
> > In linux, I wonder if Layer-7 filtering is possible.
> >
> > I want to filter packets that include specific pattern in it's
> > payload(not header, data part).
> >
> > ex) Packets that include "aaa.exe" text pattern in it's data part.
> >
> > If it is possible, mail traffic that include specific text pattern can be
> > filtered.
> >
> > I thought that above function is very useful.
> >
> > In Linux, is it possible?
>
> Iptables can filter based on text in a packet.  At the same time, you can
> mark the packet and that mark can be used with the fw filter.
>
> Stef

The Layer 7 traffic policing project (http://l7-filter.sourceforge.net/) aims 
to do the very thing.

Ashok
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE+zSYnRhXpVty0Ty4RAuPcAKCEWzShBSssfjkc6sS5Mmjs4DJkPwCcCGsQ
0o8zQUvY8NHeqscNACTcGMw
95
-----END PGP SIGNATURE-----

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/