• Welcome to Valhalla Legends Archive.
 

Packet filter

Started by UserLoser., October 12, 2004, 05:34 PM

Previous topic - Next topic

UserLoser.

How would I go about writing a packet filter?  I'm not sure how to monitor everything that happens on every incoming packet to your system.  I've been looking at iphlp things on msdn, along with disassembling this application I got the other day which does everything I need for filtering, but doesn't do anything automatic like I'm looking for.  Basically, what I want to do is write my own filtering application which'll automatically filter incoming packets from X ipaddress after it sends TCP packets with SYN flag set so many times in X amount of time (resistance against SYN floods).

iago

I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Another option is a hardware IPS system.  We use Tipping Point at work, which also has rate limiting functionality.

How to do it on Windows for free, or for yourself, I'm not sure.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


UserLoser.

I'm going to use WinPCap.  Now it's just a matter of doing the filtering

Adron

Quote from: iago on October 12, 2004, 05:39 PM
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?

iago

Quote from: Adron on October 13, 2004, 02:45 AM
Quote from: iago on October 12, 2004, 05:39 PM
I use the iptables firewall/routing software on Linux to do that.  It's a kernel-mode firewall, and it's really flexible.  Not quite as flexible as I'd like, however, because it's layer 3 (can't analyze the actual data), but it's pretty nice.  And yes, you can do rate limiting.

Iptables can't analyze actual data? Isn't that just that you don't have the right condition module?

That's possible.  I read a fairly extensive tutorial on it, and it never went past ip and tcp stuff. 
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


iago

http://uqconnect.net/~zzoklan/software/#net_tools

See SynAlert.  It's slightly different (alert for incoming connections), but it's kinda what you're looking for.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*