Community discussions

MikroTik App
 
lff0305
just joined
Topic Author
Posts: 4
Joined: Tue Aug 06, 2019 5:49 am

[ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]

Tue Aug 06, 2019 5:57 am

The need is to block some DNS requests. For example, block all dns requests to
aaa.com
This can be done MANGLE/Mark package as (udp, port 53, content=aaa) then block all the packages with this mark.
However, this will block aaabbb.com also.

I tried set content=aaa.com and it does not work.

So I ran wireshark, and figured out that the DNS package was in fact
03 61 62 63 03 63 6f 6d
means
(len for abc) (hex for abc) (len for com) (hex for com)

So, if I want to block abc.com exactly I need to find some way to set the Content=HEX RAW BYTES

I have tried Content=\03 \61 ..... \6d
or Content=\\03 \\61 ..... \\6d
or Content=0x03 0x61 ..... 0x6d

but none of them works.

Any idea for this ?

Thanks.

SOLVED: Thanks to everyone posting reply here. I finally make it work.

The KEY TRICK to this issue is that, DO NOT enter the content="\03abc\03com" in the WINBOX Dialogs.

Instead, open a TERMINAL and run the command
/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp
Thanks to sebastia for pointing this out (From Terminal)
Last edited by lff0305 on Thu Aug 08, 2019 5:03 am, edited 2 times in total.
 
User avatar
skylark
Member Candidate
Member Candidate
Posts: 144
Joined: Wed Feb 10, 2016 3:55 pm

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 12:31 pm

Maybe you can simply use address-list?
/ip firewall address-list
add address=www.aaabbb.com list=blocked
add address=www.aaa.com list=blocked
/ip firewall filter
add action=reject chain=forward dst-address-list=blocked reject-with=icmp-network-unreachable
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 1:38 pm

Try this:
content="\03abc\03com"
 
lff0305
just joined
Topic Author
Posts: 4
Joined: Tue Aug 06, 2019 5:49 am

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:35 pm

Maybe you can simply use address-list?
/ip firewall address-list
add address=www.aaabbb.com list=blocked
add address=www.aaa.com list=blocked
/ip firewall filter
add action=reject chain=forward dst-address-list=blocked reject-with=icmp-network-unreachable
Thanks but this will not work. www.abc.com can be hundreds of IPs. Put www.abc.com in address list is only working with one particular IP.
 
lff0305
just joined
Topic Author
Posts: 4
Joined: Tue Aug 06, 2019 5:49 am

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:39 pm

Try this:
content="\03abc\03com"
Just tried, no working.

Steps:

set content=abc then run "nslookup abc.com" I can see the packages logged (I enabled the log)
set content="\03abc\03com" and run again "nslookup abc.com" no logs appear.

So far I guess that ROS does not support HEX RAW bytes in content. But no documents to prove that so far.
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 2:47 pm

For external DNS server:

/ip firewall layer7-protocol
add name=aaa.com regexp="\\x03aaa\\x03com"
/ip firewall filter
add place-before=0 action=reject chain=forward dst-port=53 layer7-protocol=aaa.com protocol=udp reject-with=icmp-network-unreachable

Will block aaa.com, www.aaa.com, subdomain.aaa.com, www.subdomain.aaa.com, but not aaaa.com.

If MT is DNS server (allow remote requests):

/ip dns static
# To block *.aaa.com
add address=127.0.0.1 regexp="\\.aaa\\.com\$"
# To block aaa.com
add address=127.0.0.1 name=aaa.com

Unfortunately MT cannot accept 0.0.0.0 (NXDOMAIN/null) as static entry address.
 
User avatar
sebastia
Forum Guru
Forum Guru
Posts: 1782
Joined: Tue Oct 12, 2010 3:23 am
Location: Antwerp, BE

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Tue Aug 06, 2019 7:46 pm

Try this:
content="\03abc\03com"
Just tried, no working.
Working fine here (from terminal):
/ip firewall mangle
add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \
    protocol=udp

"ping cnn.com" generates:
18:42:31 firewall,info DNS catch: prerouting: in:e1_int out:(unknown 0), src-mac 44:8a:5b:88:87:e2, proto UDP, 192.168.1.12:58429->192.168.1.1:53, len 53
 
User avatar
ploquets
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Sat Sep 24, 2022 10:11 pm

Does anyone knows how to drop DNS answers when the query was made with type 255 (hex FF) (type ANY) ?

I tried to match content="\00\f\f" but this would not match the traffic.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Sat Sep 24, 2022 10:15 pm

If I remember right, the regexp matching in layer 7 rules ignores zero bytes. So \ff may match, but you have to combine it with other substrings to limit false positives.
 
User avatar
ploquets
Member Candidate
Member Candidate
Posts: 162
Joined: Tue Nov 17, 2015 12:49 pm
Location: Uruguaiana, RS, Brazil
Contact:

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Sat Sep 24, 2022 10:32 pm

If I remember right, the regexp matching in layer 7 rules ignores zero bytes. So \ff may match, but you have to combine it with other substrings to limit false positives.
When I try to use "content" into the rule, not creating a "layer7 specific rule" , I can't add "\FF" (only "\f\f"), but, even while I'm seeing this traffic, its not matching the amount of traffic that has the query type as ANY (255 decimal).
So, I'm confused about this. When I open into wireshark the packet, the specific part about query type ANY (wireshark calls it *) , hex is 00 FF.
But I'm having trouble matching this.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Sat Sep 24, 2022 10:58 pm

For me (6.48.6), \FF (not \ff) works fine in both regexp and content.

Who is online

Users browsing this forum: Batterio, fibracapi, iustin and 71 guests