Re: Match specific netbios flag?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

May you must try something different instead of iptables.
For loggin the connection/disconnection is enough the configuration of the loggin in the smb configuration file. 

If you really want monitoring may you want use Nagios.

Hope this help,

Jorge Dávila.

On Thu, 17 May 2007 07:00:58 +0800
 "k bah" <kbah@xxxxxxxxxxxxx> wrote:


Hi,

I'm using kernel 2.6.17, iptables 1.3.5.
Is there a way to match specific netbios ns flags? I did not find any on the iptables man page. 

I'm trying to log it like this:
-A INPUT -s 10.1.1.15 -i eth1 -p udp -m string --string "elease" --algo bm --to 65535 -j LOG --log-prefix "received release from 015"
where 10.1.1.1 is the machine with iptables, the internal net router. 10.1.1.15 is Windows XP.
I would like to match it with a flag, not a string, to be more secure (netbios ns flag 0x3010) 

the packet captured with wireshark is:
-------------
...
11164 11877.336283 10.1.1.15 10.1.1.255 NBNS Release NB HT015<20> 
...
NetBIOS Name Service
   Transaction ID: 0x808f
   Flags: 0x3010 (Release)
       0... .... .... .... = Response: Message is a query
       .011 0... .... .... = Opcode: Release (6)
       .... ..0. .... .... = Truncated: Message is not truncated
       .... ...0 .... .... = Recursion desired: Don't do query recursively
       .... .... ...1 .... = Broadcast: Broadcast packet
   Questions: 1
   Answer RRs: 0
   Authority RRs: 0
   Additional RRs: 1
   Queries
       HT015<20>: type NB, class IN
           Name: HT015<20> (Server service)
           Type: NB
           Class: IN
   Additional records
       HT015<20>: type NB, class IN
           Name: HT015<20> (Server service)
           Type: NB
           Class: IN
           Time to live: 0 time
           Data length: 6
           Flags: 0x0 (B-node, unique)
               0... .... .... .... = Unique name
               .00. .... .... .... = B-node
           Addr: 10.1.1.15
-------------
I want to know when that host went offline by turning the computer off, or because of some physical failure, as a broken cable, or disconnected cable on the switch. 

thanks,

kbah

=
ERP - Accounting Software, SQL Edition
SQL, fully customizable free SDK.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=ea7c49bd3fe7f7a95586c9ff6c085471


--
Powered by Outblaze




Jorge Isaac Davila Lopez
Nicaragua Open Source
davila@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux