Re: Deep Packet Inspection
On Tue, Aug 21, 2018 at 11:21:01AM +0300, Mimiko wrote: > Isn't zorp gone commercial only? > > On 19.08.2018 20:51, Dan Ritter wrote: > > zorp is a proxying firewall with many look-inside features, but > > is not arbitrarily deep. > zorp 6.0.10.0-2 is packaged for sid; early versions for wheezy and jessie. https://github.com/Balasys/zorp -dsr-
Re: Deep Packet Inspection
Hi. Top posting is considered bad manners here. On Tue, Aug 21, 2018 at 11:22:02AM +0300, Mimiko wrote: > last update to OpenDPI was 6 years ago. Could it be used now without problems? I sincerely doubt it. Hence my suggestion of nDPI. Reco
Re: Deep Packet Inspection
last update to OpenDPI was 6 years ago. Could it be used now without problems? On 19.08.2018 20:50, Reco wrote: If software archeology is your thing, there's OpenDPI - [2] (sorry for the GitHub link again).
Re: Deep Packet Inspection
Isn't zorp gone commercial only? On 19.08.2018 20:51, Dan Ritter wrote: zorp is a proxying firewall with many look-inside features, but is not arbitrarily deep.
Re: Deep Packet Inspection
Well. You can't really open "decipher" ssl without changing certificate, but you can exclude some sites from ssl bumping. Eero On Tue, Aug 21, 2018 at 9:31 AM Mimiko wrote: > Thank you all for suggestions. > > Yes, I didn't tell my goal. First of course is to limit access to web > sites and collect statistics. Yes this could be done with squid and > ssl_bump. I > hope this does not change certificate as internet-banking will not work. > The problem for a quick implementation is with need of squid recompile to > support ssl. > > The second goal is intercept packets on other ports for limiting services, > like skype, teamviewer (especially). > > For now I use iptables -m string --algo kmp --to 65535 --string to > intercept some strings on conenction and block access to some sites by > domain name. > But this will not allow me to block access to all sites and allow access > to only several sites. > > I was looking for a quick implementation. > > l7filter was interesting for me, but it is not supported anymore. nDPI > scares me with patching kernel. And OpenDPI is not in repository. > > I will try to implement OpenDPI by compiling, also as squid, but this is a > long process. > > As I read for snort, suricata, zorp - it is a self contained firewall. I > use a standard Debian installation where I run several different services. > > Thanks again. > >
Re: Deep Packet Inspection
Thank you all for suggestions. Yes, I didn't tell my goal. First of course is to limit access to web sites and collect statistics. Yes this could be done with squid and ssl_bump. I hope this does not change certificate as internet-banking will not work. The problem for a quick implementation is with need of squid recompile to support ssl. The second goal is intercept packets on other ports for limiting services, like skype, teamviewer (especially). For now I use iptables -m string --algo kmp --to 65535 --string to intercept some strings on conenction and block access to some sites by domain name. But this will not allow me to block access to all sites and allow access to only several sites. I was looking for a quick implementation. l7filter was interesting for me, but it is not supported anymore. nDPI scares me with patching kernel. And OpenDPI is not in repository. I will try to implement OpenDPI by compiling, also as squid, but this is a long process. As I read for snort, suricata, zorp - it is a self contained firewall. I use a standard Debian installation where I run several different services. Thanks again.
Re: Deep Packet Inspection
Hi. On Sun, Aug 19, 2018 at 05:47:43PM -0400, Cindy-Sue Causey wrote: > YES, I know. Overall, it still might not do the OP's job that's > needed, but it used the SAME words I just read above in Reco's > response. That's true, I was brief. The main difference between, say, nDPI and ngrep is that nDPI analyzes layer 7 of network communication *and* allows creating filtering rules on top of them. ngrep merely analyzes captured traffic. And, if it's the network traffic analysis is what one needs, there's wireshark. Go no further. Reco
Re: Deep Packet Inspection
squid with ssl_bump Eero On Mon, Aug 20, 2018 at 12:48 AM Cindy-Sue Causey wrote: > On 8/19/18, Reco wrote: > > Hi. > > > > On Sun, Aug 19, 2018 at 09:03:10PM +0300, Eero Volotinen wrote: > >> snort > > > > Intrusion detection. Unsuitable for traffic shaping or filtering. > > > >> and suricata. > > > > Utilizes NFQUEUE. Friends do not let friends to copy network packets > > from kernelspace to userspace and back. > > > DISCLAIMER: I am NOT versed in this, but that didn't stop me from > trying "apt-cache search packet sniffing". Ended up with ngrep: > > "ngrep strives to provide most of GNU grep's common features, applying > them to the network layer. ngrep is a pcap-aware tool that will allow > you to specify extended regular expressions to match against data > payloads of packets. It currently recognizes TCP, UDP and ICMP across > Ethernet, PPP, SLIP and null interfaces, and understands bpf filter > logic in the same fashion as more common packet sniffing tools, such > as tcpdump and snoop." > > Yes, I can see that description is very specific about what it touches > which means it might be otherwise limited. That or it's keyword > stuffing. Yay, go them if it's keyword happy because that does help > users find potentially helpful packages in amongst the 10,000 (?) or > so. :) > > I decided I've surely messed the whole concept up in my head so I used > some of ngrep's stuffing/description, namely "bpf", and searched > again: > > netsniff-ng: "netsniff-ng is a high performance Linux network sniffer > for packet inspection. It can be used for protocol analysis, reverse > engineering or network debugging. The gain of performance is reached > by 'zero-copy' mechanisms, so that the kernel does not need to copy > packets from kernelspace to userspace." > > Does NOT need to copy packets from kernelspace to userspace. > > YES, I know. Overall, it still might not do the OP's job that's > needed, but it used the SAME words I just read above in Reco's > response. That put it at least in the ballpark in my head since it's > talking about packet inspection. Developer wrote a description that > addressed a concern they knew knowledgeable users would have about > this topic. > > So here it is for that reason plus that it did use "packet > inspection", too. Sorry, no specific mention of "deep" according to > one last query tried before posting. > > Ngrep stayed because I liked how it said it "will allow you to specify > extended regular expressions to match against data payloads of > packets". That makes it sound like it might have basic offerings that > wouldn't fit everyone's needs. I decided that might not stop someone > who knows how to roll out what they really need if they have a good, > base Debian package as a template. :) > > Cindy :) > -- > Cindy-Sue Causey > Talking Rock, Pickens County, Georgia, USA > > * runs with duct tape * > >
Re: Deep Packet Inspection
On 8/19/18, Reco wrote: > Hi. > > On Sun, Aug 19, 2018 at 09:03:10PM +0300, Eero Volotinen wrote: >> snort > > Intrusion detection. Unsuitable for traffic shaping or filtering. > >> and suricata. > > Utilizes NFQUEUE. Friends do not let friends to copy network packets > from kernelspace to userspace and back. DISCLAIMER: I am NOT versed in this, but that didn't stop me from trying "apt-cache search packet sniffing". Ended up with ngrep: "ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop." Yes, I can see that description is very specific about what it touches which means it might be otherwise limited. That or it's keyword stuffing. Yay, go them if it's keyword happy because that does help users find potentially helpful packages in amongst the 10,000 (?) or so. :) I decided I've surely messed the whole concept up in my head so I used some of ngrep's stuffing/description, namely "bpf", and searched again: netsniff-ng: "netsniff-ng is a high performance Linux network sniffer for packet inspection. It can be used for protocol analysis, reverse engineering or network debugging. The gain of performance is reached by 'zero-copy' mechanisms, so that the kernel does not need to copy packets from kernelspace to userspace." Does NOT need to copy packets from kernelspace to userspace. YES, I know. Overall, it still might not do the OP's job that's needed, but it used the SAME words I just read above in Reco's response. That put it at least in the ballpark in my head since it's talking about packet inspection. Developer wrote a description that addressed a concern they knew knowledgeable users would have about this topic. So here it is for that reason plus that it did use "packet inspection", too. Sorry, no specific mention of "deep" according to one last query tried before posting. Ngrep stayed because I liked how it said it "will allow you to specify extended regular expressions to match against data payloads of packets". That makes it sound like it might have basic offerings that wouldn't fit everyone's needs. I decided that might not stop someone who knows how to roll out what they really need if they have a good, base Debian package as a template. :) Cindy :) -- Cindy-Sue Causey Talking Rock, Pickens County, Georgia, USA * runs with duct tape *
Re: Deep Packet Inspection
Hi. On Sun, Aug 19, 2018 at 09:03:10PM +0300, Eero Volotinen wrote: > snort Intrusion detection. Unsuitable for traffic shaping or filtering. > and suricata. Utilizes NFQUEUE. Friends do not let friends to copy network packets from kernelspace to userspace and back. Reco
Re: Deep Packet Inspection
snort and suricata. Eero su 19. elok. 2018 klo 20.52 Reco kirjoitti: > Hi. > > On Sun, Aug 19, 2018 at 08:31:42PM +0300, Mimiko wrote: > > Hello. > > > > Maybe this was answered. Is there a Deep Packet Inspection to use in > Debian 9 for a firewall setup? Opensource and maybe in repository. > > Once upon a time there was so called l7filter (main suite), which was > packaged for Debian, but it was excluded from current stable. > Not a big loss IMO, as l7filter was only good for traffic classification > (netfilter mangle table). > > You may want to check a set of kernel patches called nDPI - [1] (sorry > for the GitHub link). It will take a patched kernel *and* iptables suite > to make the thing run, and I suspect that amd64 is the only supported > architecture. > > If software archeology is your thing, there's OpenDPI - [2] (sorry for > the GitHub link again). > > As far as I can tell, there's no DPI software packaged for current > stable at all. > > [1] https://github.com/vel21ripn/nDPI > > [2] https://github.com/thomasbhatia/OpenDPI > > Reco > >
Re: Deep Packet Inspection
On Sun, Aug 19, 2018 at 08:31:42PM +0300, Mimiko wrote: > Hello. > > Maybe this was answered. Is there a Deep Packet Inspection to use in Debian 9 > for a firewall setup? Opensource and maybe in repository. > libndpi and ntopng are packaged, but no firewall built on that is packaged (that I know of). zorp is a proxying firewall with many look-inside features, but is not arbitrarily deep. Why do you need DPI rather than connection tracking? -dsr-
Re: Deep Packet Inspection
Hi. On Sun, Aug 19, 2018 at 08:31:42PM +0300, Mimiko wrote: > Hello. > > Maybe this was answered. Is there a Deep Packet Inspection to use in Debian 9 > for a firewall setup? Opensource and maybe in repository. Once upon a time there was so called l7filter (main suite), which was packaged for Debian, but it was excluded from current stable. Not a big loss IMO, as l7filter was only good for traffic classification (netfilter mangle table). You may want to check a set of kernel patches called nDPI - [1] (sorry for the GitHub link). It will take a patched kernel *and* iptables suite to make the thing run, and I suspect that amd64 is the only supported architecture. If software archeology is your thing, there's OpenDPI - [2] (sorry for the GitHub link again). As far as I can tell, there's no DPI software packaged for current stable at all. [1] https://github.com/vel21ripn/nDPI [2] https://github.com/thomasbhatia/OpenDPI Reco
Deep Packet Inspection
Hello. Maybe this was answered. Is there a Deep Packet Inspection to use in Debian 9 for a firewall setup? Opensource and maybe in repository. Thank you.