IDS-style use of psd
Wed, 3 Oct 2001 15:13:23 -0700 (PDT)
I'm not a member of this list (probably shouldn't be,
I'm a lowly sysadmin/perl programmer), so please
respond to me directly.
I had the idea; wouldn't it be nice to be able to use
a rule like;
... -m psd -j QUEUE
and have a userspace application that wrote an
iptables rule to block that host. I know snort +
swatch + script_on_the_firewall is a simple way to
accomplish the same thing, but I want to do this with
So, I know nothing about the internals of iptables, I
need help fleshing this idea out. I need to know how
to register for packets with ip_queue.
Assuming I get a binary dump of the packet, I can
figure out how to extract the source ip of that
packet. And based on the destination ip, I can
determine the chain (not that that's necessary --
probably want to block on both FORWARD and INPUT).
From there it's just a `iptables -A <chain> -s <ip> -j
DROP` away from doing what I want.
"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.