In some email I received from Michael T. Davis, sie wrote:
> The WhatsNew40.txt file for v4.x indicates that "simple matching of
> content for TCP session startup" is now possible. I can't seem to find the
> details of implementing this. Could someone please provide instructions,
> ideally with an example or two?
Ok, a command called "ipscan" will get built if you build the ipfilter
package from a download. With this, you can match on the first 16 bytes
of a packet.
I haven't talked a lot about it because I think it needs more work to
actually become useful.
A sample config would be:
# Track ssh connections (i.e do nothing)
#
ssh : (), ("SSH-") = track else close
#
# Things which look like smtp to be tracked else closed.
# Client can start with EHLO (ESMTP) or HELO (SMTP).
#
smtp : ("HELO ", "**??."), ("220 ", "....") = track else close
#
and then in ipfilter rules, use (I think):
pass out proto tcp from any to any port = 22 keep state scan ssh
pass out proto tcp from any to any port = 25 keep state scan smtp
at this point, it's more about ensuring that a particular kind of
services appears to be initiated over a praticular port.
I'm not really happy with that, I would like to see it do other
things...or tie in completely differently to ipfilter rather than
just via "keep state" rules.
Darren
