Welcome, Guest. Please login or register.
Did you miss your activation email?
Sunday 24 November 2024, 11:48:18 am

Login with username, password and session length

Visit the Official Endian Reference Manual  HERE
14261 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  General Support
| | |-+  Inspect incoming WAN packets for undesired content/text
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Inspect incoming WAN packets for undesired content/text  (Read 8318 times)
sagor
Jr. Member
*
Offline Offline

Posts: 2


« on: Wednesday 07 July 2010, 09:19:42 am »

Is there a way to use Endian to inspect incoming WAN packets for unwanted text, and ban the source IP?
For example, some hacker bot trying to connect to a web site, trying to connect to "//phpadmin/admin.php". I'd like to trap that packet and blacklist the source IP automatically.

I can do this somewhat with a text based firewall (Mikrotik) by flagging it in a early "mangle" stage, then having the firewall blacklist the source IP based on the flag that is triggered by this text.

I've just loaded Endian, hoping it may do the same, somehow, but don't see any menu option to do this function.

Am I dreaming that higher end firewalls don't do this function? Does it take too much compute power?

Thanks

PS: The web server is on the LAN side, on a separate PC. Just want to use Endian as an intelligent firewall/router
PPS I see Snort has a lot of rules, but how does one add a simple "text" probe to these? Does Snort use a lot of resources? (I assume so...)
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #1 on: Thursday 08 July 2010, 01:11:24 am »

You should do it with Intrusion Prevention (=snort).

You can probably create a custom ruleset on /etc/snort/rules/custom, by adding a new file.

Check an existing ruleset to see how works
/etc/snort/rules/auto/emerging-web_server.rules

I never created a snort rule, so I can't help you.
Logged
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #2 on: Thursday 08 July 2010, 01:23:59 am »

Edited:

Use "upload custom rules" button from Web, I think is easier for adding your custom rules.
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.063 seconds with 19 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com