Linux Firewalls - Michael Rash [98]
offset
The offset Snort option instructs Snort to begin application content matching operations at a specified number of bytes past the beginning of the payload data within a packet. This is an absolute number that applies to all content matches in the Snort rule, and it is not subject to the relative number of bytes between multiple content matches (the distance Snort option is used for this). The offset option is supported in iptables by using the --from command-line argument to the string match extension when looking for a pattern in payload data (this is only supported in kernel versions 2.6.14 and later). The following example constructs an iptables rule that drops all TCP packets destined for port 80 that contain the string "/etc/passwd" in the packet payload anywhere after the hundredth byte:[55]
[iptablesfw]# iptables -A INPUT -p tcp --dport 80 -m string --string "/etc/passwd"
--from 100 --algo bm -j DROP
depth
The depth Snort option requires that all attempts to match content within packet payload data do not exceed a specified number of bytes beyond the beginning of the payload. Like the offset option above, using the depth criteria within a Snort rule applies globally to all content matches. To search for patterns that cannot be more than a given number of bytes apart, one would use the within Snort rule option. For kernel versions 2.6.14 and later, the --to command-line argument to the string match extension is used to emulate the depth option within iptables.
The following example demonstrates the usage of the --to command-line argument to have iptables drop all TCP packets destined for port 80 that contain the string "/etc/passwd" within the packet payload anywhere before the thousandth byte:
[iptablesfw]# iptables -A INPUT -p tcp --dport 80 -m string --string "/etc/passwd"
--to 1000 --algo bm -j DROP
distance
The distance option is used by Snort to specify the number of bytes to skip between pattern matches. There is no direct way to tell the string match extension how many bytes to skip from a previous pattern match, but fwsnort uses an approximation based on the length of the previous pattern match and any offset modifier. To disable the translation of Snort rules that contain the distance keyword, you can use the --strict option on the fwsnort command line.
within
The within option instructs Snort to require that a subsequent pattern match after an initial match must take place within a specified number of bytes. This is similar to the distance option and is supported in fwsnort by making an approximation based on the length of the previous pattern (--strict on the fwsnort command line disables this behavior).
flags
The flags Snort option applies a search criteria to the control bits in the TCP header. The control bits vary depending on the state of a TCP connection, and iptables can match specific combinations via the --tcp-flags argument. For example, the Snort rule to detect an Nmap OS fingerprint attempt uses the flags option to search for the Syn, Fin, Push, and Urg flags in the TCP header. The equivalent arguments to the iptables binary are -p tcp --tcp-flags SYN, FIN,PSH,URG SYN,FIN,PSH,URG. The --tcp-flags command-line switch requires two arguments: a list of the flags that should be inspected, followed by a list of those flags that must actually be set. This allows the first argument to act as a mask for the set flag bits that must be examined.
No special kernel configuration option is required to make use of the --tcp-flags option, because it is built in to the core TCP-handling code within iptables. The following example illustrates an iptables rule that detects when a TCP packet