Good day, all,
One of the projects I'm working on (snort2iptables, see
http://www.stearns.org/snort2iptables/) needs the ability to check the
length of the _data_ portion of a packet, i.e., the datagram minus the IP
and protocol headers. To that end, I've made a match module for dsize.
More accurately, I have shamelessly made off with James Morris'
length match and modified it to be a dsize match. I'm hoping the blatant
theft is seen as an efficient use of time and a win for the GPL, and not
as the laziness that motivated the theft. :-)
Because the module is so small, I've attached it to this message
and will make it available at http://www.stearns.org/ipt_dsize/ . The
ipt_dsize module tar includes:
2.4.15-pre6-ipt_dsize-patch: The following 4 objects, patched against 2.4.15-pre6
dsize.patch: The actual patch, .c and .h, for p-o-m
dsize.patch.config.in: The config.in change, for p-o-m
dsize.patch.configure.help: The help text, for p-o-m
dsize.patch.help: The description, for p-o-m
dsize.patch.makefile: The makefile update, for p-o-m
iptables-1.2.4-dsize-patch: The userspace util patch, against 1.2.4
Please treat this with caution. While it's based on the stable
ipt_length match, the chance of my making a mistake actually exceeds 100%
because of a statistical anomaly associated with my inability to code.
Consider it yet another example of why people like myself should only look
at code through a glass window with sufficient security alarms and rabid
dogs protecting the code.
Any and all suggestions, requests, patches are welcome! Please
let me know what changes this could use to work correctly and fit into the
netfilter framework.
Well, Rusty, it took 2 years, but I finally got you a netfilter
module. :-)
Cheers,
- Bill
Example:
iptables -N TestChain
iptables -I OUTPUT -j TestChain
iptables -A TestChain -m dsize --dsize 5 -j LOG --log-prefix 'Dsize5 '
iptables -A TestChain -m dsize --dsize 20 -j LOG --log-prefix 'Dsize20 '
iptables -A TestChain -m dsize --dsize 32 -j LOG --log-prefix 'Dsize32 '
iptables -L TestChain -n -x -v
[root@sparrow /root]# iptables -L TestChain -n -x -v
Chain TestChain (1 references)
pkts bytes target prot opt in out source
destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
dsize 5 LOG flags 0 level 4 prefix `Dsize5 '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
dsize 20 LOG flags 0 level 4 prefix `Dsize20 '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0
dsize 32 LOG flags 0 level 4 prefix `Dsize32 '
iptables -I OUTPUT -j TestChain
tail --lines=0 -f /var/log/messages
Nov 19 22:02:38 sparrow kernel: Dsize20 IN= OUT=eth0 SRC=x.x.x.x
DST=y.y.y.y LEN=72 TOS=0x00 PREC=0x00 TTL=64 ID=23130 PROTO=TCP
SPT=34886 DPT=22 WINDOW=6432 RES=0x00 ACK PSH URGP=0
Example 2:
for X in `seq 0 100` ; do iptables -A TestChain -m dsize --dsize $X -j LOG
--log-prefix " Dsize$X " ; done
#Put in log rules that check the data length of all packets up
to 100 bytes and report it.
---------------------------------------------------------------------------
'SYN! .. SYN|ACK! .. ACK!' - the mating call of the internet
(Courtesy of Bert Hubert <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]). Mason, Buildkernel, named2hosts,
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------
