Welcome, Guest. Please login or register.
Did you miss your activation email?
Thursday 31 October 2024, 06:21:32 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
14248 Posts in 4376 Topics by 6515 Members
Latest Member: hulteends
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Inspect incoming WAN packets for undesired content/text
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Inspect incoming WAN packets for undesired content/text  (Read 8131 times)
sagor
Jr. Member
*
Offline Offline

Posts: 2


« on: Wednesday 07 July 2010, 09:19:42 am »

Is there a way to use Endian to inspect incoming WAN packets for unwanted text, and ban the source IP?
For example, some hacker bot trying to connect to a web site, trying to connect to "//phpadmin/admin.php". I'd like to trap that packet and blacklist the source IP automatically.

I can do this somewhat with a text based firewall (Mikrotik) by flagging it in a early "mangle" stage, then having the firewall blacklist the source IP based on the flag that is triggered by this text.

I've just loaded Endian, hoping it may do the same, somehow, but don't see any menu option to do this function.

Am I dreaming that higher end firewalls don't do this function? Does it take too much compute power?

Thanks

PS: The web server is on the LAN side, on a separate PC. Just want to use Endian as an intelligent firewall/router
PPS I see Snort has a lot of rules, but how does one add a simple "text" probe to these? Does Snort use a lot of resources? (I assume so...)
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Thursday 08 July 2010, 01:11:24 am »

You should do it with Intrusion Prevention (=snort).

You can probably create a custom ruleset on /etc/snort/rules/custom, by adding a new file.

Check an existing ruleset to see how works
/etc/snort/rules/auto/emerging-web_server.rules

I never created a snort rule, so I can't help you.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #2 on: Thursday 08 July 2010, 01:23:59 am »

Edited:

Use "upload custom rules" button from Web, I think is easier for adding your custom rules.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.031 seconds with 21 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com