Monday, February 16, 2004

Playing with IPTables

I've been playing around with tying IPTables to Snort, experimenting with the idea of an adaptive Layer 3/4 firewall with layer 7 sensing (i.e., Snort senses something bad in content and sends a modification to the IPTables box. Not sure how well it's going it's going to turn out but it's interesting to work on. Got sidetracked into the string matching capability of IPTables and lost a day of "work". Example:

iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string "JOIN \: \#"
iptables -I INPUT -j DROP -p tcp -d 0.0.0.0/0 -m string --string "PRIVMSG "

Courtesy of the Firewall Wizards Mailing List.