Daniel, I actually had the chance to meet Harald Welte, one of the core members of the Netfilter/IPTables team at the Linux Symposium this year. I think in large part he agrees with you and Henning. When I spoke with him about string matching and TCP stream reassembly/filtering, he most definitely did not care for these approaches.
The whole problem is that the RFCs are pretty much guidelines so it's almost impossible to have a solid L7/Proxy system. There are an almost hopeless amount of extensions to practically all protocols, and to make matters worse, many of the extensions are proprietary or poorly/undocumented. However, in the Enterprise, with the constant barrage of worms and the given that Windows based systems are everywhere, I believe that something, especially a layered solution is better than nothing. Sheesh, it's gotten so bad in the last couple years; that even company Intranets have to be treated as hostile networks. Too bad there's not a pf for Windows, don't even ask me about host based Windows firewalls... I also had the pleasure of talking with Marty Roesch recently. There's a lot of cool things going on at SourceFire and then being put into snort. Something like Hogwash--adaptive (N)IDS is interesting although IDS still has quite a ways to go. You might be surprised though how effective IDS signatures can be at selectively blocking traffic. I don't want to get too far off on a tangent though. Despite the significant issues with IDS, tell me a better alternative. Personally though I think you and Henning are doing an awesome job. For security products especially, quality far outweighs quantity. The biggest problem with security products is exactly what you are saying--people are looking for a quick fix instead of developing a clean and robust system. <> Jim > -----Original Message----- > From: Daniel Hartmeier [mailto:[EMAIL PROTECTED] > Sent: Thursday, November 06, 2003 11:09 AM > To: Small, Jim > Cc: [EMAIL PROTECTED] > Subject: Re: pf with any l7 patches or ability? > > On Thu, Nov 06, 2003 at 10:14:36AM -0500, Small, Jim wrote: > > > I would also be curious if anyone has heard of other L7 filters that > work > > well with pf. You see Daniel and Henning, we're so spoiled by pf, > OpenBSD, > > and OpenSSH that we're hoping there's an L7 filter project like that... > > If someone shows me how to do it correctly, that might even convince me > to try to implement it in pf. But what I've seen so far were horrible > kludges in the sense that I can immediately predict a dozen ways it will > raise false alarms or be easily circumvented by a moderately clever > tool. What I'd want is a scheme that I myself could trust. > > For instance, I personally dislike the idea of 'search for substring > HTTP/1.1 in the payload and assume protocol HTTP when found' or anything > inaccurate like that. Would this very email be blocked by some firewalls > because they see the string in the (SMTP) payload? Searching payload of > individual packets independantly is just guesswork. Even if many people > consider that 'good enough' and 'helpful in some cases', I find it too > ugly to invest time. I rather pick something else I can do properly. > > Daniel