thr3ads.net - Shorewall users - [Shorewall-users] Filter Question [Oct 2002]

If this information is useful, please help other people find it:
Share via:

Joe Gofton

2002-Oct-11 13:40 UTC

[Shorewall-users] Filter Question

Is there a way to filter websites with Shorewall?  When I say this I mean
local websites.  For example:  My website is www.danicar.net, well I get
all kinds of worm attacks like:

214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 282
214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 404 280
214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir

I was wondering if Shorewall could be used to filter this type of thing?
So anything trying to get at /scripts/ or /MSADC/ or /c/ could be dropped
or something.

Thanks

Joe

Tom Eastep

2002-Oct-11 13:53 UTC

head link

[Shorewall-users] Filter Question

Joe Gofton wrote:> Is there a way to filter websites with Shorewall?  When I say this I mean
> local websites.  For example:  My website is www.danicar.net, well I get
> all kinds of worm attacks like:
> 
> 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 282
> 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
> 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> 
> I was wondering if Shorewall could be used to filter this type of thing?
No. Shorwall is a packet filter - to filter based on data stream content 
requires some sort of Proxy.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Jérôme Tytgat

2002-Oct-11 14:28 UTC

head link

[Shorewall-users] Filter Question

In fact iptables can do this with the patch string enabled.

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: <jgofton@danicar.net>
Cc: <shorewall-users@shorewall.net>
Sent: Friday, October 11, 2002 3:53 PM
Subject: Re: [Shorewall-users] Filter Question

>
>
> Joe Gofton wrote:
> > Is there a way to filter websites with Shorewall?  When I say this I
mean> > local websites.  For example:  My website is www.danicar.net, well I
get
> > all kinds of worm attacks like:
> >
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 282
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET
> > /MSADC/root.exe?/c+dir HTTP/1.0" 404 280
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> >
> > I was wondering if Shorewall could be used to filter this type of
thing?
>
> No. Shorwall is a packet filter - to filter based on data stream content
> requires some sort of Proxy.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@shorewall.net
> http://www.shorewall.net/mailman/listinfo/shorewall-users
>

Tom Eastep

2002-Oct-11 14:33 UTC

head link

[Shorewall-users] Filter Question

Jérôme Tytgat wrote:> In fact iptables can do this with the patch string enabled.
> 
And there are long and bloody threads on the Netfilter mailing list 
describing why this is a very poor idea.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Northe, Juergen

2002-Oct-11 14:38 UTC

head link

AW: [Shorewall-users] Filter Question

> Joe Gofton wrote:
> > Is there a way to filter websites with Shorewall?  When I 
> say this I 
> > mean local websites.  For example:  My website is www.danicar.net, 
> > well I get all kinds of worm attacks like:
> > 
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:57 -0300] "GET 
> > /scripts/root.exe?/c+dir HTTP/1.0" 404 282 
> 214-62.sh.cgocable.ca - - 
> > [06/Oct/2002:06:59:57 -0300] "GET /MSADC/root.exe?/c+dir 
> HTTP/1.0" 404 
> > 280 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290
> > 214-62.sh.cgocable.ca - - [06/Oct/2002:06:59:58 -0300] "GET
> > /scripts/..%255c../winnt/system32/cmd.exe?/c+dir
> > 
> > I was wondering if Shorewall could be used to filter this type of 
> > thing?
> 
> No. Shorwall is a packet filter - to filter based on data 
> stream content 
> requires some sort of Proxy.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> AIM: tmeastep  \ http://www.shorewall.net
> ICQ: #60745924  \ teastep@shorewall.net
> 

proxy for content-filtering ->
http://www.cert.dfn.de/eng/fwl/httpf/httpf.html

Eduardo Ferreira

2002-Oct-11 17:30 UTC

head link

[Shorewall-users] Filter Question

This is a multipart message in MIME format.
--=_alternative 0060356983256C4F_Content-Type: text/plain;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

I would sugest installing transparent squid and use its powerful ACL=20
feature to filter that.  but that is another list...




Tom Eastep <teastep@shorewall.net>=20
Sent by: shorewall-users-admin@shorewall.net
11/10/2002 11:33

To
J=E9r=F4me Tytgat <jtytgat@websurg.com>
cc
jgofton@danicar.net, shorewall-users@shorewall.net
Subject
Re: [Shorewall-users] Filter Question








J=E9r=F4me Tytgat wrote:> In fact iptables can do this with the patch string enabled.
>=20
And there are long and bloody threads on the Netfilter mailing list=20
describing why this is a very poor idea.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users


--=_alternative 0060356983256C4F_Content-Type: text/html;
charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">I would sugest
installing transparent
squid and use its powerful ACL feature to filter that. &nbsp;but that is
another list...</font>
<br>
<br>
<br>
<br>
<table width=3D100%>
<tr valign=3Dtop>
<td width=3D40%><font size=3D1
face=3D"sans-serif"><b>Tom Eastep
&lt;teastep@shorewall.net&gt;</b>
</font>
<br><font size=3D1 face=3D"sans-serif">Sent by:
shorewall-users-admin@shorewall.net</font>
<p><font size=3D1 face=3D"sans-serif">11/10/2002
11:33</font>
<td width=3D59%>
<table width=3D100%>
<tr>
<td>
<div align=3Dright><font size=3D1
face=3D"sans-serif">To</font></div>
<td valign=3Dtop><font size=3D1
face=3D"sans-serif">J=E9r=F4me Tytgat
&lt;jtytgat@websurg.com&gt;</font>
<tr>
<td>
<div align=3Dright><font size=3D1
face=3D"sans-serif">cc</font></div>
<td valign=3Dtop><font size=3D1
face=3D"sans-serif">jgofton@danicar.net,
shorewall-users@shorewall.net</font>
<tr>
<td>
<div align=3Dright><font size=3D1
face=3D"sans-serif">Subject</font></div>
<td valign=3Dtop><font size=3D1 face=3D"sans-serif">Re:
[Shorewall-users] Filter
Question</font></table>
<br>
<table>
<tr valign=3Dtop>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=3D2><tt><br>
<br>
J=E9r=F4me Tytgat wrote:<br>
&gt; In fact iptables can do this with the patch string enabled.<br>
&gt; <br>
<br>
And there are long and bloody threads on the Netfilter mailing list <br>
describing why this is a very poor idea.<br>
<br>
-Tom<br>
-- <br>
Tom Eastep &nbsp; &nbsp;\ Shorewall - iptables made easy<br>
AIM: tmeastep &nbsp;\ http://www.shorewall.net<br>
ICQ: #60745924 &nbsp;\ teastep@shorewall.net<br>
<br>
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F<br>
Shorewall-users mailing list<br>
Shorewall-users@shorewall.net<br>
http://www.shorewall.net/mailman/listinfo/shorewall-users<br>
</tt></font>
<br>
--=_alternative 0060356983256C4F_=--

Shorewall users - Oct 2002 - Filter Question

[Shorewall-users] Filter Question

[Shorewall-users] Filter Question

[Shorewall-users] Filter Question

[Shorewall-users] Filter Question

AW: [Shorewall-users] Filter Question

[Shorewall-users] Filter Question