1

I'm trying to build a custom Intrusion Detection and Prevention System (IDS/IPS). I found a great utility named ROPE which can scan the packet payload and drop the packet that doesn't follow the rules, set by a script. This serves my purpose completely, since what I want to do is check the payload for some specific text and then drop it or allow it ( the string feature in iptables wouldn't do me any good, because I want to check more than one string in tha payload, like usernames, id's, etc ). However, ROPE is really old and despite my many attempts I haven't managed to install it properly.

Do you know any similar program that will help me drop packets in iptables depending on the payload?

Any suggestion is greatly appreciated :)

tzoukos
  • 13
  • 2

3 Answers3

5

Warning: long, philosophical post ahead. TLDR: have another look at the existing solutions that are available.

I understand the appeal of rolling a custom solution, and I don't mean to be glib in saying this, but: if you are deploying in a production environment, developing any meaningfully-complex piece of infrastructure for which reasonable analogues already exist is a Bad Idea™, most especially in the realm of security.

Doing a really great job of designing an intrusion detection system (or configuration management system, or package distribution system, or high-level scripting language) requires a huge investment in domain-specific knowledge. If you have that knowledge, you're probably already involved with one of the many projects out there that's filling the particular niche you're interested in; if you don't, you're going to spend a lot of your employer's time and your own effort to develop version 1 of your own solution, which can't help but be mediocre compared to mature, community-supported solutions that have been refined over the course of years by motivated specialists.

It is the natural province of sysadmins to look at a problem and instantly begin designing a solution for it in our heads: we are typically both creatively talented and professionally motivated, and we love to fix problems, especially the big meta-problems that tend to inspire this kind of ambition. The cost-benefit equation just tends not to work out in favour of solving those problems from scratch, especially when you can probably get better bang for your buck by contributing to a well-managed existing project.

Sorry to have gone on so long; I hope I've managed to contribute something useful to your consideration of the issue.

Community
  • 1
Jeff Albert
  • 1,987
  • 9
  • 14
3

I have tested in my home-lab before with snort and fwsnort generating the iptables rules. Have you looked at this?

Guido van Brakel
  • 942
  • 5
  • 10
  • Agreed. Snort is well-suited for this. It's not easy to set up well, but it's pretty much the standard in IDS/IPS. – Hyppy Mar 14 '11 at 17:06
  • Snort is good, but it wouldn't help me a lot, since what I'm trying to do is examine the packets in real-time inside the kernel and not drop them if they come from a specific host ( that's what snort does ) – tzoukos Mar 14 '11 at 17:23
  • Snort doesn't check from a specific host. Snort uses it's rules which also detect backdoors and so on. – Guido van Brakel Mar 14 '11 at 18:12
  • @tzoukos - you should probably take another look at Snort. It's a full-featured rules-based IDS/IPS. I think you're mistaking it for IPTables or something. – Hyppy Mar 14 '11 at 18:35
  • @tzoukos - These guys are right.*Some* of the signatures for snort are based on source or destination address, but a **very** small percentage. The majority of rules, at least from VRT or ET, are content matching. – Scott Pack Mar 14 '11 at 19:10
  • So, will I be able to have a snort rule that will allow me to check a packet and see if it contains a specific username, id, ip, mac address and then drop it? Is it done in the kernel or on application level ? – tzoukos Mar 14 '11 at 21:16
  • @tzoukos So long as your sensor is in INLINE mode, then (with the possible exception of MAC) sure, just write your rule. Check out the docs: http://www.snort.org/docs – Scott Pack Mar 15 '11 at 02:25
2

@Tzoukos - from your question you are not actually describing an IDS or IPS, but a deep inspection firewall.

Snort can absolutely do all that you have described, and as mentioned has a wealth of signatures available for free...but if you are looking for other options, don't limit your search to just IDS/IPS solutions. There are many solutions at all price points from free to staggeringly expensive :-)

Rory Alsop
  • 1,184
  • 11
  • 21