Community discussions

MikroTik App
just joined
Topic Author
Posts: 4
Joined: Tue May 10, 2011 11:50 pm

Improved String Matching ( Netfilter based) in IP Firewall

Wed May 11, 2011 12:03 am

I think there should be support for the following features on Ip tables /netfilter firewall

1) multiple content / string matches in one rule ,eg search for "Tom" AND "Smyth" in side a packet. (each content string should have a NOT option aswell.
2) allow selection of string matching algorithim for each content string match
3) allow selection of Offset from start of packet to start searching for a string
4) allow selection of size of area of packet to be searched , eg search "bad String" inside an area of 800 Bytes at the start of the packet
5)introduce the Hex string match capability

where any hex number bound by | pipe character would denote a search for a hex ascii character (including non printable)... this would be helpful in implementing some snort functionality into the IP Firewall in MikroTik

If this feature was enabled we could fine tune attack string signatures do the following matching with /ip firewall fiter
$IPTABLES -A FORWARD_ESTAB -p tcp --sport 80 -m string --hex-string "new XMLHttpRequest|28|" --algo bm -m string --hex-string "file|3A|//" --algo bm -m comment --comment "sid:1735; msg:WEB-CLIENT XMLHttpRequest attempt; classtype:web-application-attack; reference:bugtraq,4628; rev:7; FWS:1.0.1;" -j LOG --log-ip-options --log-tcp-options --log-prefix "found attach string "

Some of this functionality is in Layer 7, however we could all agree that Netfilter / Iptables is infintely more stable and would be more efficient at processing some rules,

I would be delighted if this could be implemented as soon as you can

The Functionality is there in the Kernel... can you write an Interface around that same proven stable functionality

Please Post if you Agree
Posts: 87
Joined: Wed Jun 06, 2007 6:35 pm
Location: Tipperary / Dublin & Ireland

Re: Improved String Matching ( Netfilter based) in IP Firewa

Mon Feb 27, 2012 4:05 pm

I think this is a great Idea and MikroTik Should implement it as soon as possible...

Netfilter String Matcher / Firewall string matcher would be more stable than L7 Filters

I Hope this Helps,
Tom Smyth,
Cant we all just get along and exchange Ideas... Now that is an Idea!
Member Candidate
Member Candidate
Posts: 159
Joined: Mon Mar 17, 2014 11:30 am
Location: Amsterdam

Re: Improved String Matching ( Netfilter based) in IP Firewall

Fri Oct 14, 2016 4:28 pm

Did anything ever come out of this?


Who is online

Users browsing this forum: benoitc, Bing [Bot] and 99 guests