I think there should be support for the following features on Ip tables /netfilter firewall
- multiple content / string matches in one rule ,eg search for “Tom” AND “Smyth” in side a packet. (each content string should have a NOT option aswell.
- allow selection of string matching algorithim for each content string match
- allow selection of Offset from start of packet to start searching for a string
- allow selection of size of area of packet to be searched , eg search “bad String” inside an area of 800 Bytes at the start of the packet
5)introduce the Hex string match capability
eg
content=“Test_for_string_followed_by_carrigereturn|0A|”
where any hex number bound by | pipe character would denote a search for a hex ascii character (including non printable)… this would be helpful in implementing some snort functionality into the IP Firewall in MikroTik
If this feature was enabled we could fine tune attack string signatures do the following matching with /ip firewall fiter
$IPTABLES -A FORWARD_ESTAB -p tcp --sport 80 -m string --hex-string “new XMLHttpRequest|28|” --algo bm -m string --hex-string “file|3A|//” --algo bm -m comment --comment “sid:1735; msg:WEB-CLIENT XMLHttpRequest attempt; classtype:web-application-attack; reference:bugtraq,4628; rev:7; FWS:1.0.1;” -j LOG --log-ip-options --log-tcp-options --log-prefix "found attach string "
Some of this functionality is in Layer 7, however we could all agree that Netfilter / Iptables is infintely more stable and would be more efficient at processing some rules,
I would be delighted if this could be implemented as soon as you can
The Functionality is there in the Kernel… can you write an Interface around that same proven stable functionality
Please Post if you Agree