dchemko at smgtec.com
Mon Sep 20 21:44:46 CEST 2004
> You can try using ipt_string, but you will run into serious
> limitations. ipt_string operates on single packet. If the string
> you are trying to match is (for whatever reason) broken into multiple
> packet, ipt_string will not find it. Also, ipt_string does not know
> anything about application level protocols (such as HTTP). If it
> finds ".exe" anywhere in the packet's payload, it will match (whereas
> Squid will match only if it is part of URL, and you can specify that
> it must be at the end of the URL).
> If I were you, I'd stick with Squid to do application level filtering.
Or even better, use Snort-inline to detect infiltrations and use its
built-in response engine to drop the packets.
More information about the netfilter