jak bloknout kazu?

[Jaroslav Jirásek]

Dik, zda se, ze pres patch-o-matic by se kazaa bloknout dala...
Nejak mi neni uplne jasne pouziti - to jsou nejake patche, ktere
je nutne do iptables pridat? A urcite nebude existovat patch
na bloknuti kazy - budu ho muset vytvorit? To urcite nezvladnu.
Znamenalo by zjistit jak se komunikace kazy lisi od bezneho HTTP
protokolu, to bude urcite nad me sily.

Jirasek


> Jenom me tak hlavou zabloumala myslenka...  a rovnou jsem zahledal...
> Neni to sice presne ono, ale dalo by se to pouzit...  (i kdyz je tam
> 'please don't use', ale to se tyka cervu ;-), takze zkuste pouzit string
> match z iptables patch-o-matic???
>
> ***
>
> 3.14 How do I stop worm XYZ with netfilter ?
>
> The short answer is you cannot do that properly with netfilter. Most of
the
> worms are using a legitimate high level protocol (i.e. HTTP, SMTP(i.e VB
> script attached in email), or any exploit of a vulnerability found in the
> daemon handling the protocol). By high level protocol, we mean above
> TCP/IP. As iptables does not understand these high level protocols, it's
> almost impossible to filter part of them out properly. For that you need
> application filtering proxies.
>
> Please do not use the string match from patch-o-matic instead of
> application proxy filtering. It would be defeated anytime by fragmented
> packets (i.e. an HTTP request split on two TCP packets), by IDS evasion
> techniques, etc... you have been warned! The string match is useful but
for
> different purposes.
>
> --