ipt_string problems and FAQ

ipt_string problems and FAQ

[Tabris]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, i admit to finding a message in the archive that mentioned that we're 
not supposed to use ipt_string for stopping code red and such (it says 
there's an FAQ entry for it, which i did not find), so first, I'd like to 
ask where this FAQ entry is...

second, I've been using ipkungfu to attempt to stop codered, nimda, etc 
from hitting my apache server and clogging up my logs.

It's not working, the rules never trigger. I've played around with it to 
no avail.

I guess, if this doesn't work, and isn't supposed to work, what SHOULD I 
do?

I'm using a kernel 2.4.22-pre series kernel with some patch-o-matic 
iptables patches. I hope this doesn't end up being another of those 
stupid questions that never gets answered.

TIA
- --
tabris
- -
Nietzsche says that we will live the same life, over and over again.
God -- I'll have to sit through the Ice Capades again.
		-- Woody Allen, "Hannah and Her Sisters"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/TOggtTgrITXtL+8RAiGkAJ49cU4UE+LzbcbS4XNxp+RM+uo3qgCfZQxD
iL/1//ju0Ke+UuJIXkZauZk=
=mY90
-----END PGP SIGNATURE-----

Re: ipt_string problems and FAQ

[cc]

Tabris wrote:
> Ok, i admit to finding a message in the archive that mentioned that we're 
> not supposed to use ipt_string for stopping code red and such (it says 
> there's an FAQ entry for it, which i did not find), so first, I'd like to 
> ask where this FAQ entry is...

It's actually in the Netfilter-Extensions FAQ, under -m strings module.

> 
> second, I've been using ipkungfu to attempt to stop codered, nimda, etc 
> from hitting my apache server and clogging up my logs.
> 
> It's not working, the rules never trigger. I've played around with it to 
> no avail.

Which doesn't work?  ipt_string or ipkungfu, or both?  Have you
installed the kernel patch and have recompiled your kernel?

> I guess, if this doesn't work, and isn't supposed to work, what SHOULD I 
> do?

Find an alternative, I guess.   I too have been trying to figure
this out myself, but I suppose ipt_string wasn't meant to be used
like that(though, I can't see why not, but that's a different
topic).  I was told to use the correct tool for the job.

Snort w/ snortsam is the type of setup I'm using right now; though
I'm still figuring out if it is indeed working.  The logs are
showing a decrease in junk; but still, some are seeping through.
*sigh*

> I'm using a kernel 2.4.22-pre series kernel with some patch-o-matic 
> iptables patches. I hope this doesn't end up being another of those 
> stupid questions that never gets answered.

I don't know.  What do you think? ;)

Re: ipt_string problems and FAQ

[Maciej Soltysiak]

Hi,
> ask where this FAQ entry is...
http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.14

> second, I've been using ipkungfu to attempt to stop codered, nimda, etc
> from hitting my apache server and clogging up my logs.
> It's not working, the rules never trigger. I've played around with it to
> no avail.
I do not know how ipkungfu works, i'd have to check it out to see if it
can works and if it is a valid and clean solution.

> I guess, if this doesn't work, and isn't supposed to work, what SHOULD I
> do?
Patch your affected servers, use unaffected software and
inform the netadmins of infected hosts about virii.

Regards,
Maciej

Re: ipt_string problems and FAQ

[Tabris]

On Monday 01 September 2003 07:03 am, Maciej Soltysiak wrote:
> Hi,
>
> > ask where this FAQ entry is...
>
> http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.14
>

Kay... Though as my friend asked, what IS it good for? examples?

> > second, I've been using ipkungfu to attempt to stop codered, nimda,
> > etc from hitting my apache server and clogging up my logs.
> > It's not working, the rules never trigger. I've played around with it
> > to no avail.
>
> I do not know how ipkungfu works, i'd have to check it out to see if it
> can works and if it is a valid and clean solution.
>
http://www.linuxkungfu.org/

> > I guess, if this doesn't work, and isn't supposed to work, what
> > SHOULD I do?
>
> Patch your affected servers, use unaffected software and
> inform the netadmins of infected hosts about virii.

fwiw, i don't use IIS, so I don't really get infected by it, but all the 
same I get it clogging up my logs... which is what i'm really trying to 
take care of here... no more crap in my logs.

>
> Regards,
> Maciej
--
tabris
-
Life only demands from you the strength you possess.
Only one feat is possible -- not to have run away.
		-- Dag Hammarskjold

Re: ipt_string problems and FAQ

[Sven Riedel]

On Mon, Sep 01, 2003 at 01:03:48PM +0200, Maciej Soltysiak wrote:
> Hi,
> > ask where this FAQ entry is...
> http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.14

Ok, slightly off topic to this thread, but I still need to know from
that faq entry:
QUOTE
Please do not use the string match from patch-o-matic instead of
application proxy filtering. It would be defeated anytime by fragmented
packets (i.e. an HTTP request split on two TCP packets), 
ENDQUOTE

I thought iptables collects all fragments and reassembles the packet
before applying any rules? Or am I dead wrong here? 

Regs,
Sven
-- 
Sven Riedel                      sr@gimp.org
Liebigstr. 38 
30163 Hannover                  "Python is merely Perl for those who
                                 prefer Pascal to C" (anon)

Re: ipt_string problems and FAQ

[Ralf Spenneberg]

Am Mit, 2003-09-03 um 10.43 schrieb Sven Riedel:

> I thought iptables collects all fragments and reassembles the packet
> before applying any rules? Or am I dead wrong here? 
Only if the ip_conntrack.o module is loaded.

Cheers,

Ralf
-- 
Ralf Spenneberg
RHCE, RHCX

Book: Intrusion Detection für Linux Server   http://www.spenneberg.com
IPsec-Howto				     http://www.ipsec-howto.org
Honeynet Project Mirror:                     http://honeynet.spenneberg.org

Re: ipt_string problems and FAQ

[Michael]

> On Monday 01 September 2003 07:03 am, Maciej Soltysiak wrote:
> > Hi,
> >
> > > ask where this FAQ entry is...
> >
> > http://www.netfilter.org/documentation/FAQ/netfilter-faq-3.html#ss3.14
> >
> 
> Kay... Though as my friend asked, what IS it good for? examples?
> 
> > > second, I've been using ipkungfu to attempt to stop codered, nimda,
> > > etc from hitting my apache server and clogging up my logs.
> > > It's not working, the rules never trigger. I've played around with it
> > > to no avail.
> >
> > I do not know how ipkungfu works, i'd have to check it out to see if it
> > can works and if it is a valid and clean solution.
> >
> http://www.linuxkungfu.org/
> 
> > > I guess, if this doesn't work, and isn't supposed to work, what
> > > SHOULD I do?
> >
> > Patch your affected servers, use unaffected software and
> > inform the netadmins of infected hosts about virii.
> 
> fwiw, i don't use IIS, so I don't really get infected by it, but all
> the same I get it clogging up my logs... which is what i'm really
> trying to take care of here... no more crap in my logs.
> 
> >
> > Regards,
> > Maciej
> --
> tabris
> -
> Life only demands from you the strength you possess.
> Only one feat is possible -- not to have run away.
>   -- Dag Hammarskjold
> 
> 

This is not a netfilter solution, but it does the trick for our 
servers. If your server is mod perl enhanced then use this statement 
in your httpd.conf file

# trap exploits of nimda & code-red compromised systems.
# version 1.06 9-20-01 michael@bizsystems.com
<perl>
{
  package Apache::VirusLogZapper;
  use Apache::Constants qw(:common :response);

  my $ERRORLOG = 0;

  sub handler {
    my $r = shift;
    if ($ERRORLOG) {
      $r->uri =~ /(cmd\.exe|root\.exe|default\.ida)/;
      $r->log_error(__PACKAGE__, ' ',
                $r->get_remote_host, ' ' ,$1);
    }
    $r->push_handlers(PerlLogHandler => sub {return DONE});
    return DONE;
  }
}
</perl>
Michael@Insulin-Pumpers.org