On 11/01/2012 02:02 AM, Ed W wrote: > Hi all. There is an interesting project that was called opendpi > (originally by ipoque GmbH) and recently been forked and maintained by > the ntop guys under the nDPI label. It offers a new and currently > maintained layer 7 (L7) packet identification library. It could > definitely benefit from more eyes and development effort, but at present > it gives much better breakdown of traffic for ntop > > There is a netfilter library, originally by Elian Gidoni, that I have > updated to use the nDPI fork > > https://github.com/ewildgoose/ndpi-netfilter > > > > The practical upshot is that you can do stuff like: > > iptables -I FORWARD -m ndpi --WinUpdate -j LOG > or > iptables -I FORWARD -m ndpi --skype -j REJECT > > In theory you can also filter Facebook, Twitter, etc, as specific named > protocols - this ability is likely to be improved in the next iterations > (ie be more configurable) > > Another of the clever things that nDPI does is to try and classify SSL > traffic by examining the name on the cert. A technique that seems > likely to allow crude identification of significant traffic. (If the > cert says "mail.google.com", have a guess what we are doing?) > > > The big picture here is that a lot of protocols are starting to look > like "http", and increasingly more are just "https". Any filters are > going to be reasonably easy for an active attacker to defeat (tunnel it > some way), but I have a requirement to save users from themselves and so > we want to be able to do things like limiting Windows Update and > disallow it over the expensive satellite connection, and only allow over > the cheaper wifi (or 3G) connections. > > Simple filtering on http & https is quite useful in implementing that > despite the limitations. Forcing connections through squid has some > limitations (and some advantages), but at present squid can't do some of > the things we can do with nDPI such as examining SSL certs. > > There is still some way to go on this project, but I started pondering > how I might express such rules in shorewall (and trying to avoid further > overloading MARKs).
Should be pretty easy to put together an action where the action. file does ?BEGIN PERL ... ?END PERL. Have a look at action.TCPFlags for an example (and ignore the fact that it says DropSmurfs in the heading comments). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
