[Solved] Packet filtering.

sugartest · 2014-07-10 07:49:29

Hi,

I am looking for a convenient way to filter packets from expression in form of \x00 (for exemple) I took a look at tcpdump but couldn't find a way to do so with it and it would actually be better if I could do so without using WireShark (for memory consumption). This is for a bash script and any hint would help, should I consider coding a packet filter in bash and then filter packets from my hexadecimal pattern ? Or is there another tool I could use to do do ?

Thank's a lot

Last edited by sugartest (2014-07-16 12:10:25)

fukawi2 · 2014-07-10 08:11:38

iptables?

You have presented an XY Problem, so it's difficult to offer helpful assistance.

sugartest · 2014-07-10 08:40:24

Iptables is for firewall purposes and NAT prerouting or sometimes used to spoof some stuff. According to it's documentation (https://wiki.archlinux.org/index.php/Iptables#Modules) iptables seems to be able to block | filter particular packets, but implies you know what kind of packet you want to filter, I need to have the packet content in form of \x00 in order to detect attempts of services exploitation using NOPS or Buffer Overflows, I should have explained it better. I need to have a view on packets flow so when, for example, \x90 > X is seen, is considered and exploitation attempt using a NOP sled.

Sorry for my bad english if I still badly explained it.

fukawi2 · 2014-07-11 01:35:55

You can do that with iptables using the 'string' module.

man iptables-extentions wrote:

string
This modules matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
--algo {bm|kmp}
Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
--from offset
Set the offset from which it starts looking for any matching. If not passed, default is 0.
--to offset
Set the offset up to which should be scanned. That is, byte offset-1 (counting from 0) is the last one that is scanned. If not passed, default is the packet size.
[!] --string pattern
Matches the given pattern.
[!] --hex-string pattern
Matches the given pattern in hex notation.
Examples:
# The string pattern can be used for simple text characters.
iptables -A INPUT -p tcp --dport 80 -m string --algo bm --string 'GET /index.html' -j LOG
# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
iptables -p udp --dport 53 -m string --algo bm --from 40 --to 57 --hex-string '|03|www|09|netfilter|03|org|00|'

HiImTye · 2014-07-11 02:39:23

you can use tc. for instance this is what I use to prioritize ACK and ICMP packets (stolen from here):

# ICMP
tc filter add dev $deviceName parent 1:0 protocol ip prio 10 u32 \
 match ip protocol 1 0xff flowid 1:15
# ACK packets
tc filter add dev $deviceName parent 1: protocol ip prio 10 u32 \
 match ip protocol 6 0xff \
 match u8 0x05 0x0f at 0 \
 match u16 0x0000 0xffc0 at 2 \
 match u8 0x10 0xff at 33 \
 flowid 1:15

Last edited by HiImTye (2014-07-11 02:40:59)

fukawi2 · 2014-07-11 05:15:59

HilmTye's post reminded me, there is also the 'u32' module for iptables which may be of benefit.

sugartest · 2014-07-11 14:13:29

I guess i didn't look close enough into iptables modules, I'll try everything out by the week-end and tell you how it went but it seem I'll find the thing I was looking for.

So I guess my problem is solved.

I Thank you all for you kindness, help, and quick answers.

See ya'll!

Last edited by sugartest (2014-07-11 14:19:15)

sugartest · 2014-07-12 07:38:47

Well thank you very much, tc was exactly what I was looking foor since I can include it directly in bash .

Thank's aswell for the iptables modules recommendations i'll take a look at it anyway for other purposes!

HiImTye · 2014-07-12 09:10:38

you should def go here before messing with tc & iptables, as it will go a long way to understanding how everything works

Last edited by HiImTye (2014-07-12 09:11:00)

sugartest · 2014-07-13 09:04:10

Wow that sure is big! Thank's for these useful resources, I won't miss to read that!

HiImTye · 2014-07-13 09:44:13

it sure is section 9 gets into tc, and gives you some good examples

sugartest · 2014-07-16 11:31:51

More than giving me helpful examples I think it will enhace a bit my understanding of TCP/IP and accompany another reading in progress (The TCP/IP Guide).

So thank's again for this resource!

Arch Linux

#1 2014-07-10 07:49:29

[Solved] Packet filtering.

#2 2014-07-10 08:11:38

Re: [Solved] Packet filtering.

#3 2014-07-10 08:40:24

Re: [Solved] Packet filtering.

#4 2014-07-11 01:35:55

Re: [Solved] Packet filtering.

#5 2014-07-11 02:39:23

Re: [Solved] Packet filtering.

#6 2014-07-11 05:15:59

Re: [Solved] Packet filtering.

#7 2014-07-11 14:13:29

Re: [Solved] Packet filtering.

#8 2014-07-12 07:38:47

Re: [Solved] Packet filtering.

#9 2014-07-12 09:10:38

Re: [Solved] Packet filtering.

#10 2014-07-13 09:04:10

Re: [Solved] Packet filtering.

#11 2014-07-13 09:44:13

Re: [Solved] Packet filtering.

#12 2014-07-16 11:31:51

Re: [Solved] Packet filtering.

Board footer