On Monday 15 March 2004 10:46 pm, Michael St. Laurent wrote:
> I was reading about the String module for iptables in Linux Journal over
> the weekend and it occured to me that this could be used for scanning the
> LAN for the presence of an infected system.
The String match in netfilter is not that great - it has too many limitations
which cause it to fail to match things you would like (the most obvious of
which are that it can't match strings split across packet boundaries, and it
can only match the literal content of packets, so if a packet contains
compressed data (eg: a gzipped http response) it won't match what you think
that data represents).
A better starting point for this sort of thing would be Snort, since this is
designed to deal with packet contents, and raise alerts on the basis of what
it finds - the String match in netfilter is much more of an add-on to a tool
which really works at a much lower layer than the application data you're
interested in.
Regards,
Antony.
--
RTFM may be the appropriate reply, but please specify exactly which FM to R.
Please reply to the list;
please don't CC me.
-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
