Re: content matching on tcp connections...

YES,YES,YES
----- Original Message -----
From: "Darren Reed" <darrenr@reed.wattle.id.au>
To: <ipfilter@coombs.anu.edu.au>
Sent: Thursday, June 26, 2003 5:42 PM
Subject: content matching on tcp connections...


>
> Long ago (well almost 3 years now), I put some code into IPFilter
> 3.5alpha (became 4.0alpha) that does this:
>
> > #
> > # * = match any character, . = exact match, ? = case insensitive
> > #
> > # Scan for anything that looks like HTTP and redirect it to the local
> > # proxy. One catch - this feature (redirect) is not yet implemented.
> > #
> > http : ("GET ", "???." ) = redirect(127.0.0.1)
> > #
> > # Track ssh connections (i.e do nothing)
> > #
> > ssh : (), ("SSH-") = track
> > #
> > # Things which look like smtp to be tracked else closed.
> > # Client can start with EHLO (ESMTP) or HELO (SMTP).
> > #
> > smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
> > #
> > # Evil napster
> > #
> > nap2 : ("*\0\2\0", "*...") = close
> > nap4 : ("*\0\4\0", "*...") = close
> > nap6 : ("*\0\6\0", "*...") = close
> > nap7 : ("*\0\7\0", "*...") = close
>
> With the above, there are no port numbers mentioned because the connection
> content scanning (I think limited to first 16 bytes or thereabouts) is
done
> across _all_ TCP connections that go through IPFilter's state table.
>
> This kind of thing could be used to block out kazaa - completely.
>
> I think I ditched it because I didn't think it would be that useful.
>
> Should I dust this off and let it back in ?
>
> Darren
>
>