RE: [suse-security] iptables rules for HTML Form Protocol Attack

["studio3arc.com Admin" <admin@xxxxxxxxxxxxxx>]

Did a quick search on the netfilter site and this is what I found
regarding the match string module

> 
> Last days I often see below messages in Apache log files:
> 1.1.1.1         - - [09/Jul/2003:17:32:00+0200] "POST 
> http://11.1.106.18:25/ HTTP/1.1" 200 475 > "-" "-"
>  

3.18 string patch 
This patch by Emmanuel Roger <winfield@xxxxxxxxxxxx> adds a new match
that allows you to match a string anywhere in the packet.

For example, to match packets containing the string ``cmd.exe'' anywhere
in the packet and queue them to a userland IDS, you could use :


# iptables -A INPUT -m string --string 'cmd.exe' -j QUEUE

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
QUEUE      all  --  anywhere             anywhere           STRING match
cmd.exe 


Please do use this match with caution. A lot of people want to use this
match to stop worms, along with the DROP target. This is a major
mistake. It would be defeated by any IDS evasion method.

In a similar fashion, a lot of people have been using this match as a
mean to stop particular functions in HTTP like POST or GET by dropping
any HTTP packet containing the string POST. Please understand that this
job is better done by a filtering proxy. Additionally, any HTML content
with the word POST would get dropped with the former method. This match
has been designed to be able to queue to userland interesting packets
for better analysis, that's all. Dropping packet based on this would be
defeated by any IDS evasion method.

Supported options for the string match are :


--string [!] string
-> Match a string in a packet


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here