Can netfilter do this?

Can netfilter do this?

[Joe Mott]

I have been searching the archived lists without any success to have the 
following question answered:

Is netfilter capable of knowing when someone is crafting SMTP (or FTP or 
HTTP or ...) packets that violate RFC rules to exploit a vulnerability 
in some server?

Re: Can netfilter do this?

[Gavin Hamill]

On Thursday 25 March 2004 11:59, Joe Mott wrote:

> Is netfilter capable of knowing when someone is crafting SMTP (or FTP or
> HTTP or ...) packets that violate RFC rules to exploit a vulnerability
> in some server?

No, application-level filtering / analysis is outside the scope of netfilter. 

Try http://www.snort.org/ 

Cheers,
Gavin.

Re: Can netfilter do this?

[David Cannings]

On Thursday 25 March 2004 11:59, Joe Mott wrote:
> I have been searching the archived lists without any success to have
> the following question answered:
>
> Is netfilter capable of knowing when someone is crafting SMTP (or FTP
> or HTTP or ...) packets that violate RFC rules to exploit a
> vulnerability in some server?

No, that is the job for some form of IDS, such as Snort.  Whilst netfilter 
can look inside the contents of packets it can only do so on a packet by 
packet basis.  An HTTP request, SMTP conversation (etc) is likely to be 
so large it spans multiple packets.  When text wraps the boundary of one 
packet netfilter can no longer help, some form of reassembly is required 
before the "full" text can be read and taken into context.

David

Re: Can netfilter do this?

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 763 bytes --]

On Thu, 2004-03-25 at 13:59, Joe Mott wrote:
> I have been searching the archived lists without any success to have the 
> following question answered:
> 
> Is netfilter capable of knowing when someone is crafting SMTP (or FTP or 
> HTTP or ...) packets that violate RFC rules to exploit a vulnerability 
> in some server?

As the other replies say, the short answer is no.

You can do some filtering using the netfilter POM patches, like string
matching, TOS, TCP flags.

Regards

Ray
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Can netfilter do this?

[Daniel Chemko]

> When text
> wraps the boundary of one packet netfilter can no longer help, some
> form of reassembly is required before the "full" text can be read and
> taken into context. 

Apparently when you use the QUEUE extension the packet is re-assembled
before the packet is passed to the userspace application. This makes
proper filtering and detection possible. You still have to track the
entire session from userspace if you want to be accurate, but that
depends on what userspace tool you're plugging into. I know of Snort and
Squid which have 'inline' modes. These programs should have some ability
to filter out the garbage.

RE: Can netfilter do this?

[Small, Jim]

> -----Original Message-----
> > Is netfilter capable of knowing when someone is crafting SMTP (or FTP or
> > HTTP or ...) packets that violate RFC rules to exploit a vulnerability
> > in some server?

Snort is an excellent "tool"/Network Intrusion Detection System.  You might
also be interested in this:
http://l7-filter.sourceforge.net/

Snort is more robust, but also more complex.

<> Jim

Re: Can netfilter do this?

[Frederic de Villamil]

[-- Attachment #1: Type: text/plain, Size: 672 bytes --]

On Thu, 25 Mar 2004, Joe Mott wrote:

> I have been searching the archived lists without any success to have the
> following question answered:
>
> Is netfilter capable of knowing when someone is crafting SMTP (or FTP or
> HTTP or ...) packets that violate RFC rules to exploit a vulnerability
> in some server?
>

Hi,
what you need is an IDS (intrusion detection system).
The most well known are prelude (prelude-ids.org) and snort.

Did I  mention that  I don't  trust snort because  of too  much passed
vulnerabilities?

Regards
Frederic


--
< Ylli> lol je rigole neuro jte prend pa pr un pervers ms un president et pere de famille respectable :s
http://www.seclab.jp

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]