* Kostas Zorbadelos <kzo...@otenet.gr> [2012-06-09 13:12]: > We used IPtables and the string module to match a specific signature of > the problematic queries and it worked quite well (in our attack case the > problematic queries had a very specific and simple pattern). > The question is, if we had OpenBSD and PF as a > firewall what could we do to address this? From searching the archives I > saw this quite old post > > http://www.monkey.org/openbsd/archive/misc/0207/msg00743.html > > I haven't seen any string matching capability in PF for the packet > payload. Unless I am missing something, what would your suggestions be > in such a scenario? I am interested to hear possible solutions in other > layers as well.
string matching to more or less random packets' payload in the kernel? that is beyond insane. the proper solution is a small userland helper process, using divert-to and maybe socket splicing. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
