String matching.

[Craig Knox]

> 	I was planning on using this in conjunction with snort but now maybe I will 
> just use snort. I cannot use a proxy server, but I absolutly have to block 
> these packets. Im well aware that if I block the packet containing the 
> cmd.exe ot root.exe string I will have a open tcp connection on the server 
> that will not close till it times out. So I was going to use snort ot send a 
> tcp RST to that machine. What I did not want to do was have snort setting up 
> 2000 Ip blocks in a few minutes for different IPs. So I was going to use the 
> string match to block the packet with the string in it and reset the TCP 
> connection on my end leaving it hung open on the sending hosts end.  

Why don't you use snort-iptables?
 http://w3.cablespeed.com/~rvmcmil/

It filters packets and you can get it to reset the connection as well.