On Thu, August 24, 2017 15:26, Ethy H. Brito wrote: > On Thu, 24 Aug 2017 14:58:24 +0200 > "Walter H." <walter.h@xxxxxxxxxxxxxxxxx> wrote: > >> Hello, >> >> -N VERIFY-HTTP >> -A VERIFY-HTTP -m string --to 61 --algo bm --string "GET /w00tw00t.at." >> \ >> -j LOG --log-prefix "IP[HTTP-SCAN]: " >> --log-level 7 >> -A VERIFY-HTTP -j ACCEPT >> >> and >> >> -A INPUT -i eth1 -m tcp -p tcp --dport 80 -m state --state NEW -j >> VERIFY-HTTP >> >> I would expect that HTTP requests like >> >> wget http://thishost/w00tw00t.at.SANS >> >> would be logged, but it isn't >> >> why? > > Hi Walter. > > In a perfect world, "NEW" tcp packets does not carry any payload. > > "NEW", on a tcp streeam, is supposed to match the "SYN" package or the > first on > a "malformed" tcp stream. (more info at > http://www.iptables.info/en/connection-state.html and many others) > > You should try something like: > > -A INPUT -i eth1 -m tcp -p tcp --dport 80 -j VERIFY-HTTP > > (not very effective since every packet will be scanned. I do not know what > are > your goals here and http servers is not may area of expertize but doesn't > your > http server has some traps to this?) > > regards > > Ethy > > > this doesn't work either ... -A INPUT -i eth1 -m tcp -p tcp --dport 80 \ -m string --to 61 --algo bm --string "GET /w00tw00t.at." \ -j LOG --log-prefix "IP[HTTP-SCAN]: " -A INPUT -i eth1 -m tcp -p tcp --dport 80 -m state --state NEW -j ACCEPT but the strange thing, I have 3 identical (same Linux Distribution: CentOS 6, latest updates), on two of them (these are virtual servers at webhosters) this works, and one is phisical host (my router) this doesn't work ..., and I don't know why ... of course the webserver has logging facility, but the goal of this is to replace -j LOG ... with -j DROP Thanks, Walter -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
