> You can try using ipt_string, but you will run into serious > limitations. ipt_string operates on single packet. If the string > you are trying to match is (for whatever reason) broken into multiple > packet, ipt_string will not find it. Also, ipt_string does not know > anything about application level protocols (such as HTTP). If it > finds ".exe" anywhere in the packet's payload, it will match (whereas > Squid will match only if it is part of URL, and you can specify that > it must be at the end of the URL). > > If I were you, I'd stick with Squid to do application level filtering. Or even better, use Snort-inline to detect infiltrations and use its built-in response engine to drop the packets.
