PATCH: new HTTP Request url matching
Harald Welte
laforge@gnumonks.org
Sat, 3 Nov 2001 10:05:22 +0100
On Wed, Oct 31, 2001 at 06:24:17PM +0800, Fabrice MARIE wrote:
>
> Hello Arie,
>
> On Wednesday 31 October 2001 17:53, Arie Grapa wrote:
> > I just wrote a HTTP request matching module.
> > It does HTTP Request URL matching. I know some of you believe this should
> > be done in userspace,
>
> yep, it should ;-)
>
> > but I like it more this way.
> > I have tested it a quite a bit, but if you still find problems with it
> > please let me know.
> > Example usage:
> > iptables -t filter -N urlrules
> > iptables -A urlrules -p tcp --dport 80 -m url --url cmd.exe -j REJECT \
> > --reject-with tcp-reset
>
> http://yoursite/%63%6dd.exe
> will be stoped or will pass through ? ;-)
> Please note that the URL I've used is totally
> legal URL. This is a typical old IDS evasion technique.
> You should really use filtering proxies, believe me.
> Please don't get me wrong, that's not the goal.
exactly. HTTP is the best proxy-able protocol out there. Especially if you
use transparent proxies, nobody will get hurt.
If we can solve a problem in user space, we should solve it there. Only for
protocols which can't be proxied in an easy fashion, kernel-'hacks' make sense.
> Fabrice.
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M-
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)