h1

iptables string match to drop malicious urls

August 5, 2008

iptables string match to drop malicious urls

==================================

Usually modsecurity rules can help filter many malicious url attack patterns combined with apache on apache port (http|https).  But what if a malicious attack using a vulnerable url pattern, that exposes or tries to break into your system is coming onto another port?

This is where iptables string match comes in handy.

/usr/local/sbin/iptables -I INPUT -p tcp -s 0.0.0.0/0 -m stringstring “download?file=%2e%2e” –algo bm -j DROP

[root@server ~]# iptables -L -v | grep STR
73 49908 DROP       tcp  —  any    any     anywhere             anywhere            STRING match “download?file=%2e%2e” ALGO name bm TO 65535

[root@server ~]#

The above iptable rule will block any url  that has the string “download?file=%2e%2e” on any port on your server.

Note: your iptables binary path may be /sbin/iptables

Say http://yourserverIP:9132/blah/download?file=%2e%2e

3 comments

  1. can u explain me how to block p2p with string option, i hear iptables can block p2p program..tq


  2. http://www.lowth.com/rope/Rope
    http://www.lowth.com/rope/BlockingGnutella

    http://l7-filter.sourceforge.net/

    http://lartc.org

    are some of the tools that can assist you and they are not too complex to implement.

    Besides, you can simply do this with iptables string match too, it seems to me all implement the same technology as it analyzes packet header or body string to classify, the type of traffic.

    You could probably run p2p software and then do a tcp dump of the packets, then based on the packet header or packet data, you can create the strings to be included in iptables string match.

    say you see something like ( gnutella) in the tcpdump analysis, then you could use “gnutella” as a string.


  3. hey that’s good



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: