RE: content matching on tcp connections...

Hee

i bid two beers :-)



----------
Van: Darren Reed[SMTP:darrenr@reed.wattle.id.au]
Verzonden: Thursday, June 26, 2003 5:42 PM
Aan: ipfilter@coombs.anu.edu.au
Onderwerp: content matching on tcp connections...


Long ago (well almost 3 years now), I put some code into IPFilter
3.5alpha (became 4.0alpha) that does this:

> #
> # * = match any character, . = exact match, ? = case insensitive
> #
> # Scan for anything that looks like HTTP and redirect it to the local
> # proxy. One catch - this feature (redirect) is not yet implemented.
> #
> http : ("GET ", "???." ) = redirect(127.0.0.1)
> #
> # Track ssh connections (i.e do nothing)
> #
> ssh : (), ("SSH-") = track
> #
> # Things which look like smtp to be tracked else closed.
> # Client can start with EHLO (ESMTP) or HELO (SMTP).
> #
> smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
> #
> # Evil napster
> #
> nap2 : ("*\0\2\0", "*...") = close
> nap4 : ("*\0\4\0", "*...") = close
> nap6 : ("*\0\6\0", "*...") = close
> nap7 : ("*\0\7\0", "*...") = close

With the above, there are no port numbers mentioned because the connection
content scanning (I think limited to first 16 bytes or thereabouts) is done
across _all_ TCP connections that go through IPFilter's state table.

This kind of thing could be used to block out kazaa - completely.

I think I ditched it because I didn't think it would be that useful.

Should I dust this off and let it back in ?

Darren