iptables string

fed.linuxgossip · May 28, 2013, 3:40pm

Hi,

How can we differentiate the following two packets and use it in iptables for say string match ? what kind of string we can use for these two types in iptables? any ideas?

In case where the packet is good, we can see lots of ..... ..... .... ................ in the data field.

while in the data filed of a attack packet, there is much less or almost no ..... ..... ......... in data filed or no gaps between the alphabets.

Sample tcpdump of a good packet
#########################################


17:44:33.144049 IP (tos 0x0, ttl 124, id 25715, offset 0, flags [DF], proto TCP (6), length 740)
    someIPAddr.3024 > someIPAddr1.22212: Flags [P.], cksum 0x5711 (correct), seq 2662525094:2662525794, ack 1599992148, win 63196, length 700
        0x0000:  4500 02e4 6473 4000 7c06 0667 c60f 4872  E...ds@.|..g..Hr
        0x0010:  be71 c446 0bd0 56c4 9eb2 e8a6 5f5d f154  .q.F..V....._].T
        0x0020:  5018 f6dc 5711 0000 6603 00de 1400 cccc  P...W...f.......
        0x0030:  cccc cccc bcca e2f5 e0c7 fbfb f5c1 f2e6  ................
        0x0040:  e6c2 f4e1 8ab9 ffe4 6603 0098 1400 cccc  ........f.......
        0x0050:  cccc cccc 4cc4 badf 6797 26fa ada9 6ed0  ....L...g.&...n.
        0x0060:  368b 42c6 75bf eccf 6603 0012 1400 cccc  6.B.u...f.......
        0x0070:  cccc cccc c099 0ec7 5083 7ec8 bde5 86cd  ........P.~.....
        0x0080:  aef0 d6c6 0e92 d4e1 6603 004f 1400 cccc  ........f..O....
        0x0090:  cccc cccc ccc7 cecb 2bf2 19d7 dd9f 9ac6  ........+.......
        0x00a0:  868b d6df b19d 4fcd 6603 00e7 1400 cccc  ......O.f.......
        0x00b0:  cccc cccc 44ce f8f9 e3c3 27e8 e5c2 f4e1  ....D.....'.....
        0x00c0:  66b6 fae2 e3c4 31e3 6603 0085 1400 cccc  f.....1.f.......
        0x00d0:  cccc cccc 94cc 38e1 cec6 dee4 f5c3 fafa  ......8.........
        0x00e0:  56c2 f0e1 c8c4 06e3 01b5 0082 3400 cccc  V...........4...
        0x00f0:  cccc cccc f5f2 fae1 1576 f2e1 c456 32db  .........v...V2.
        0x0100:  aab8 1cf7 c08e c4a8 e8a9 46fc 7cbd 4ae1  ..........F.|.J.
        0x0110:  c48e c6ad c08e c0ae c480 bead b4bb aaad  ................
        0x0120:  b88f ccb3 b48e a0a3 00b5 007d 9c00 cccc  ...........}....
        0x0130:  cccc cccc edf1 fbd7 4667 a592 9557 d8e1  ........Fg...W..
        0x0140:  5066 2817 5889 8692 7889 a299 de8e 1ae4  Pf(.X...x.......
        0x0150:  8061 a2c9 5c90 d0cb ac1f 1f3f 62d9 68f5  .a..\......?b.h.
        0x0160:  26d5 dac6 96bd e0f8 6ec4 63d7 b794 35cd  &.......n.c...5.
        0x0170:  acef 4fcb fd3a 0ec6 9f1c d7c6 4490 d6e1  ..O..:......D...
        0x0180:  883f 54d6 6ed8 55d6 d99a d6e4 46c0 99fb  .?T.n.U.....F...
        0x0190:  bd03 c2df 1904 e7fa b89b 02f9 f8f1 02e1  ................
        0x01a0:  aaae 23dc 4092 14fa acbf 22df ac81 d6cd  ..#.@.....".....
        0x01b0:  ac8b 0ad0 648b e2d7 6fba 0ef8 e857 a2c4  ....d...o....W..
        0x01c0:  7857 1299 7889 a2aa c5c1 7498 7851 daaa  xW..x.....t.xQ..
        0x01d0:  0624 0057 3c00 cccc cccc cccc c08d beb2  .$.W<...........
        0x01e0:  282f 3f42 d630 fae2 f4c2 fae1 f0b8 f4d5  (/?B.0..........
        0x01f0:  8cf8 bedf 5c8e c8ad f9c2 fae1 db46 fdda  ....\........F..
        0x0200:  d565 f4f8 82ef f7e2 ec60 f4e1 747a c6ad  .e.......`..tz..
        0x0210:  e4c2 f2e1 e8c2 32db 00b1 0023 1800 cccc  ......2....#....
        0x0220:  cccc cccc 01c4 9cae f5c5 00c6 4cc2 72f2  ............L.r.
        0x0230:  ed36 fae1 4518 b34d 95e6 0ce6 0624 0047  .6..E..M.....$.G
        0x0240:  3c00 cccc cccc cccc b098 bead 2c2f 7d3c  <...........,/}<
        0x0250:  663e fae1 f4c2 f8dc e8a9 46fc 7cbd 4ae1  f>........F.|.J.
        0x0260:  c08e c6ad f9c2 f4e2 eb36 f3e1 c992 dee1  .........6......
        0x0270:  b2f0 01e7 d455 d4d7 c08d bead e4c2 f4e1  .....U..........
        0x0280:  64b6 fae2 4032 0065 5400 0000 7a2b 9202  d...@2.eT...z+..
        0x0290:  f8d0 ffe2 f4f4 2ae1 e0c2 fae1 f4c2 22e2  ......*.......".
        0x02a0:  415b 86dd 1dd6 5ff5 e5c4 1fe3 d566 f2e1  A[...._......f..
        0x02b0:  4c57 fae2 8cc9 f8e2 e8c0 cee2 e5cd 70e3  LW............p.
        0x02c0:  fcc4 f7e1 fbc3 fafa 54c2 f2e1 f5c3 f3e1  ........T.......
        0x02d0:  f4c3 6ee4 8acb d8dc f4ab 54d6 a8ab 54d6  ..n.......T...T.

Sample tcp dump of LOIC/dos attack attempt
#####################################


16:42:06.218874 IP (tos 0x20, ttl 108, id 15132, offset 0, flags [DF], proto TCP (6), length 1482)
    someIPAddr.23257 > someIPAddr1.3020: Flags [P.], cksum 0xa999 (correct), seq 3862663562:3862665004, ack 523218389, win 4326, length 1442
        0x0000:  4520 05ca 3b1c 4000 6c06 b786 c60f 4872  E...;.@.l.....Hr
        0x0010:  c60f 41da 5ad9 0bcc e63b 918a 1f2f add5  ..A.Z....;.../..
        0x0020:  5018 10e6 a999 0000 5520 6475 6e20 676f  P.......U.dun.go
        0x0030:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0040:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0050:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0060:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0070:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0080:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0090:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x00a0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x00b0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x00c0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x00d0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x00e0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x00f0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0100:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0110:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0120:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0130:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0140:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0150:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0160:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0170:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0180:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0190:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x01a0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x01b0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x01c0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x01d0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x01e0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x01f0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0200:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0210:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0220:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0230:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0240:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0250:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0260:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0270:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0280:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0290:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x02a0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x02b0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x02c0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x02d0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x02e0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x02f0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0300:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0310:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0320:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0330:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0340:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0350:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0360:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0370:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0380:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0390:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x03a0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x03b0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x03c0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x03d0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x03e0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x03f0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0400:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0410:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0420:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0430:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0440:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0450:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0460:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0470:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0480:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0490:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x04a0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x04b0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x04c0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x04d0:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x04e0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x04f0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0500:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0510:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0520:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0530:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0540:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0550:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0560:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x0570:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x0580:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x0590:  6e20 676f 6f66 6564 5520 6475 6e20 676f  n.goofedU.dun.go
        0x05a0:  6f66 6564 5520 6475 6e20 676f 6f66 6564  ofedU.dun.goofed
        0x05b0:  5520 6475 6e20 676f 6f66 6564 5520 6475  U.dun.goofedU.du
        0x05c0:  6e20 676f 6f66 6564 5520                 n.goofedU.
16:42:06.219286 IP (tos 0x20, ttl 109, id 15133, offset 0, flags [DF], proto TCP (6), length 50)
    someIPAddr1.23257 > someIPAddr.3020: Flags [P.], cksum 0xcd08 (correct), seq 3862665004:3862665014, ack 523218389, win 4326, length 10
        0x0000:  4520 0032 3b1d 4000 6d06 c097 be41 452e  E..2;.@.m....AE.
        0x0010:  c60f 4872 5ad9 0bcc e63b 972c 1f2f add5  ..HrZ....;.,./..
        0x0020:  5018 10e6 cd08 0000 6475 6e20 676f 6f66  P.......dun.goof
        0x0030:  6564                                     ed
16:42:06.219339 IP (tos 0x20, ttl 108, id 15133, offset 0, flags [DF], proto TCP (6), length 50)
    someIPAddr.23257 > someIPAddr1.3020: Flags [P.], cksum 0xc88e (correct), seq 3862665004:3862665014, ack 523218389, win 4326, length 10
        0x0000:  4520 0032 3b1d 4000 6c06 bd1d c60f 4872  E..2;.@.l.....Hr
        0x0010:  c60f 41da 5ad9 0bcc e63b 972c 1f2f add5  ..A.Z....;.,./..
        0x0020:  5018 10e6 c88e 0000 6475 6e20 676f 6f66  P.......dun.goof
        0x0030:  6564                                     ed

---------- Post updated 05-29-13 at 01:10 AM ---------- Previous update was 05-28-13 at 06:48 AM ----------

seems we need to find a way to see in a packet that has data with a few words or sentence that repeat itself and then create some sort of string/regular expression , that can be applied to iptables string match, although i am not sure , if we can use regular expressions with iptables string match directly.

Corona688 · May 28, 2013, 3:44pm

One way to do this might be to feed suspect datat through a simple compressor like gzip or lzop and see how well it compresses. If it compresses a LOT, the data was mostly repeats; if it compressed only moderately, the data is more likely genuine.

If they start sending you random garbage instead of repeats this won't work.

fed.linuxgossip · May 28, 2013, 5:47pm

can you explain how to do this ?

"One way to do this might be to feed suspect datat through a simple compressor like gzip or lzop and see how well it compresses. If it compresses a LOT, the data was mostly repeats; if it compressed only moderately, the data is more likely genuine."

Thank you