iptables string


 
Thread Tools Search this Thread
Special Forums Cybersecurity iptables string
# 1  
Old 05-28-2013
iptables string

Hi,

How can we differentiate the following two packets and use it in iptables for say string match ? what kind of string we can use for these two types in iptables? any ideas?


In case where the packet is good, we can see lots of ..... ..... .... ................ in the data field.


while in the data filed of a attack packet, there is much less or almost no ..... ..... ......... in data filed or no gaps between the alphabets.









Sample tcpdump of a good packet
#########################################

Code:
17:44:33.144049 IP (tos 0x0, ttl 124, id 25715, offset 0, flags [DF], proto TCP (6), length 740)
    someIPAddr.3024 > someIPAddr1.22212: Flags [P.], cksum 0x5711 (correct), seq 2662525094:2662525794, ack 1599992148, win 63196, length 700
        0x0000:  4500 02e4 6473 4000 7c06 0667 c60f 4872  E...ds@.|..g..Hr
        0x0010:  be71 c446 0bd0 56c4 9eb2 e8a6 5f5d f154  .q.F..V....._].T
        0x0020:  5018 f6dc 5711 0000 6603 00de 1400 cccc  P...W...f.......
        0x0030:  cccc cccc bcca e2f5 e0c7 fbfb f5c1 f2e6  ................
        0x0040:  e6c2 f4e1 8ab9 ffe4 6603 0098 1400 cccc  ........f.......
        0x0050:  cccc cccc 4cc4 badf 6797 26fa ada9 6ed0  ....L...g.&...n.
        0x0060:  368b 42c6 75bf eccf 6603 0012 1400 cccc  6.B.u...f.......
        0x0070:  cccc cccc c099 0ec7 5083 7ec8 bde5 86cd  ........P.~.....
        0x0080:  aef0 d6c6 0e92 d4e1 6603 004f 1400 cccc  ........f..O....
        0x0090:  cccc cccc ccc7 cecb 2bf2 19d7 dd9f 9ac6  ........+.......
        0x00a0:  868b d6df b19d 4fcd 6603 00e7 1400 cccc  ......O.f.......
        0x00b0:  cccc cccc 44ce f8f9 e3c3 27e8 e5c2 f4e1  ....D.....'.....
        0x00c0:  66b6 fae2 e3c4 31e3 6603 0085 1400 cccc  f.....1.f.......
        0x00d0:  cccc cccc 94cc 38e1 cec6 dee4 f5c3 fafa  ......8.........
        0x00e0:  56c2 f0e1 c8c4 06e3 01b5 0082 3400 cccc  V...........4...
        0x00f0:  cccc cccc f5f2 fae1 1576 f2e1 c456 32db  .........v...V2.
        0x0100:  aab8 1cf7 c08e c4a8 e8a9 46fc 7cbd 4ae1  ..........F.|.J.
        0x0110:  c48e c6ad c08e c0ae c480 bead b4bb aaad  ................
        0x0120:  b88f ccb3 b48e a0a3 00b5 007d 9c00 cccc  ...........}....
        0x0130:  cccc cccc edf1 fbd7 4667 a592 9557 d8e1  ........Fg...W..
        0x0140:  5066 2817 5889 8692 7889 a299 de8e 1ae4  Pf(.X...x.......
        0x0150:  8061 a2c9 5c90 d0cb ac1f 1f3f 62d9 68f5  .a..\......?b.h.
        0x0160:  26d5 dac6 96bd e0f8 6ec4 63d7 b794 35cd  &.......n.c...5.
        0x0170:  acef 4fcb fd3a 0ec6 9f1c d7c6 4490 d6e1  ..O..:......D...
        0x0180:  883f 54d6 6ed8 55d6 d99a d6e4 46c0 99fb  .?T.n.U.....F...
        0x0190:  bd03 c2df 1904 e7fa b89b 02f9 f8f1 02e1  ................
        0x01a0:  aaae 23dc 4092 14fa acbf 22df ac81 d6cd  ..#.@.....".....
        0x01b0:  ac8b 0ad0 648b e2d7 6fba 0ef8 e857 a2c4  ....d...o....W..
        0x01c0:  7857 1299 7889 a2aa c5c1 7498 7851 daaa  xW..x.....t.xQ..
        0x01d0:  0624 0057 3c00 cccc cccc cccc c08d beb2  .$.W<...........
        0x01e0:  282f 3f42 d630 fae2 f4c2 fae1 f0b8 f4d5  (/?B.0..........
        0x01f0:  8cf8 bedf 5c8e c8ad f9c2 fae1 db46 fdda  ....\........F..
        0x0200:  d565 f4f8 82ef f7e2 ec60 f4e1 747a c6ad  .e.......`..tz..
        0x0210:  e4c2 f2e1 e8c2 32db 00b1 0023 1800 cccc  ......2....#....
        0x0220:  cccc cccc 01c4 9cae f5c5 00c6 4cc2 72f2  ............L.r.
        0x0230:  ed36 fae1 4518 b34d 95e6 0ce6 0624 0047  .6..E..M.....$.G
        0x0240:  3c00 cccc cccc cccc b098 bead 2c2f 7d3c  <...........,/}<
        0x0250:  663e fae1 f4c2 f8dc e8a9 46fc 7cbd 4ae1  f>........F.|.J.
        0x0260:  c08e c6ad f9c2 f4e2 eb36 f3e1 c992 dee1  .........6......
        0x0270:  b2f0 01e7 d455 d4d7 c08d bead e4c2 f4e1  .....U..........
        0x0280:  64b6 fae2 4032 0065 5400 0000 7a2b 9202  d...@2.eT...z+..
        0x0290:  f8d0 ffe2 f4f4 2ae1 e0c2 fae1 f4c2 22e2  ......*.......".
        0x02a0:  415b 86dd 1dd6 5ff5 e5c4 1fe3 d566 f2e1  A[...._......f..
        0x02b0:  4c57 fae2 8cc9 f8e2 e8c0 cee2 e5cd 70e3  LW............p.
        0x02c0:  fcc4 f7e1 fbc3 fafa 54c2 f2e1 f5c3 f3e1  ........T.......
        0x02d0:  f4c3 6ee4 8acb d8dc f4ab 54d6 a8ab 54d6  ..n.......T...T.



Sample tcp dump of LOIC/dos attack attempt
#####################################
Code:
16:42:06.218874 IP (tos 0x20, ttl 108, id 15132, offset 0, flags [DF], proto TCP (6), length 1482)
    someIPAddr.23257 > someIPAddr1.3020: Flags [P.], cksum 0xa999 (correct), seq 3862663562:3862665004, ack 523218389, win 4326, length 1442
        0x0000:  4520 05ca 3b1c 4000 6c06 b786 c60f 4872  E...;.@.l.....Hr
        0x0010:  c60f 41da 5ad9 0bcc e63b 918a 1f2f add5  ..A.Z....;.../..
        0x0020:  5018 10e6 a999 0000 5520 6475 6e20 676f  P.......U.dun.go
        0x0030:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0040:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0050:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0060:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0070:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0080:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0090:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x00a0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x00b0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x00c0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x00d0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x00e0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x00f0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0100:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0110:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0120:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0130:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0140:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0150:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0160:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0170:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0180:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0190:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x01a0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x01b0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x01c0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x01d0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x01e0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x01f0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0200:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0210:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0220:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0230:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0240:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0250:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0260:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0270:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0280:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0290:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x02a0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x02b0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x02c0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x02d0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x02e0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x02f0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0300:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0310:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0320:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0330:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0340:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0350:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0360:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0370:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0380:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0390:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x03a0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x03b0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x03c0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x03d0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x03e0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x03f0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0400:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0410:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0420:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0430:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0440:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0450:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0460:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0470:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0480:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0490:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x04a0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x04b0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x04c0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x04d0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x04e0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x04f0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0500:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0510:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0520:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0530:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0540:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0550:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0560:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0570:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0580:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0590:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x05a0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x05b0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x05c0:  6e20 676f 6f66 6564 5520                 n.goofedU.
16:42:06.219286 IP (tos 0x20, ttl 109, id 15133, offset 0, flags [DF], proto TCP (6), length 50)
    someIPAddr1.23257 > someIPAddr.3020: Flags [P.], cksum 0xcd08 (correct), seq 3862665004:3862665014, ack 523218389, win 4326, length 10
        0x0000:  4520 0032 3b1d 4000 6d06 c097 be41 452e  E..2;.@.m....AE.
        0x0010:  c60f 4872 5ad9 0bcc e63b 972c 1f2f add5  ..HrZ....;.,./..
        0x0020:  5018 10e6 cd08 0000 6475 6e20 676f 6f66  P.......dun.goof
        0x0030:  6564                                     ed
16:42:06.219339 IP (tos 0x20, ttl 108, id 15133, offset 0, flags [DF], proto TCP (6), length 50)
    someIPAddr.23257 > someIPAddr1.3020: Flags [P.], cksum 0xc88e (correct), seq 3862665004:3862665014, ack 523218389, win 4326, length 10
        0x0000:  4520 0032 3b1d 4000 6c06 bd1d c60f 4872  E..2;.@.l.....Hr
        0x0010:  c60f 41da 5ad9 0bcc e63b 972c 1f2f add5  ..A.Z....;.,./..
        0x0020:  5018 10e6 c88e 0000 6475 6e20 676f 6f66  P.......dun.goof
        0x0030:  6564                                     ed

---------- Post updated 05-29-13 at 01:10 AM ---------- Previous update was 05-28-13 at 06:48 AM ----------

seems we need to find a way to see in a packet that has data with a few words or sentence that repeat itself and then create some sort of string/regular expression , that can be applied to iptables string match, although i am not sure , if we can use regular expressions with iptables string match directly.
# 2  
Old 05-28-2013
One way to do this might be to feed suspect datat through a simple compressor like gzip or lzop and see how well it compresses. If it compresses a LOT, the data was mostly repeats; if it compressed only moderately, the data is more likely genuine.

If they start sending you random garbage instead of repeats this won't work.
# 3  
Old 05-28-2013
can you explain how to do this ?

"One way to do this might be to feed suspect datat through a simple compressor like gzip or lzop and see how well it compresses. If it compresses a LOT, the data was mostly repeats; if it compressed only moderately, the data is more likely genuine."




Thank you
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. UNIX for Beginners Questions & Answers

Search a string and display its location on the entire string and make a text file

I want to search a small string in a large string and find the locations of the string. For this I used grep "string" -ob <file name where the large string is stored>. Now this gives me the locations of that string. Now how do I store these locations in a text file. Please use CODE tags as... (7 Replies)
Discussion started by: ANKIT ROY
7 Replies

2. Shell Programming and Scripting

awk string comparison unterminated quoted string andrule of thumb

I have the logic below to look up for matches within the columns between the two files with awk. In the if statement is where the string comparison is attempted with == The issue seems to be with the operands, as 1. when " '${SECTOR}' " -- double quote followed by single quote -- awk matches... (1 Reply)
Discussion started by: deadyetagain
1 Replies

3. Shell Programming and Scripting

Insert String every n lines, resetting line counter at desired string

I need to read a text file and insert a string every n lines, but also have the line counter restart when I come across a header string. Line repeating working every 3 lines using code: sed '0~3 s/$/\nINSERT/g' < INPUT/PATH/FILE_NAME.txt > OUTPUT/PATH/FILE_NAME.txt I cannot seem to find... (1 Reply)
Discussion started by: Skonectthedots
1 Replies

4. Shell Programming and Scripting

Remove lines between the start string and end string including start and end string Python

Hi, I am trying to remove lines once a string is found till another string is found including the start string and end string. I want to basically grab all the lines starting with color (closing bracket). PS: The line after the closing bracket for color could be anything (currently 'more').... (1 Reply)
Discussion started by: Dabheeruz
1 Replies

5. Shell Programming and Scripting

grep exact string from files and write to filename when string present in file

I am attempting to grep an exact string from a series of files within a directory and append that output to the filename when it is present in the file. I've been after this all day with no luck. Thanks for your help in advance :wall:. (4 Replies)
Discussion started by: JC_1
4 Replies

6. Shell Programming and Scripting

sed or awk command to replace a string pattern with another string based on position of this string

here is what i want to achieve... consider a file contains below contents. the file size is large about 60mb cat dump.sql INSERT INTO `table1` (`id`, `action`, `date`, `descrip`, `lastModified`) VALUES (1,'Change','2011-05-05 00:00:00','Account Updated','2012-02-10... (10 Replies)
Discussion started by: vivek d r
10 Replies

7. UNIX for Dummies Questions & Answers

Comparing a String variable with a string literal in a Debian shell script

Hi All, I am trying to to compare a string variable with a string literal inside a loop but keep getting the ./testifstructure.sh: line 6: #!/bin/sh BOOK_LIST="BOOK1 BOOK2" for BOOK in ${BOOK_LIST} do if then echo '1' else echo '2' fi done Please use next... (1 Reply)
Discussion started by: daveu7
1 Replies

8. Shell Programming and Scripting

to extract string from main string and string comparison

continuing from my previous post, whose link is given below as a reference https://www.unix.com/shell-programming-scripting/171076-shell-scripting.html#post302573569 consider there is create table commands in a file for eg: CREATE TABLE `Blahblahblah` ( `id` int(11) NOT NULL... (2 Replies)
Discussion started by: vivek d r
2 Replies

9. Shell Programming and Scripting

replace (sed?) a string in file with multiple lines (string) from variable

Can someone tell me how I can do this? e.g: a=$(echo -e wert trewt ertert ertert ertert erttert erterte rterter tertertert ert) How do i replace the STRING with $a? I try this: sed -i 's/STRING/'"$a"'/g' filename.ext but this don' t work (2 Replies)
Discussion started by: jforce
2 Replies

10. Shell Programming and Scripting

Search, replace string in file1 with string from (lookup table) file2?

Hello: I have another question. Please consider the following two sample, tab-delimited files: File_1: Abf1 YKL112w Abf1 YAL054c Abf1 YGL234w Ace2 YKL150w Ace2 YNL328c Cup9 YDR441c Cup9 YDR442w Cup9 YEL040w ... File 2: ... ABF1 YKL112W ACE2 YLR131C (9 Replies)
Discussion started by: gstuart
9 Replies
Login or Register to Ask a Question