Linux Firewalls - Michael Rash [99]
[iptablesfw]# iptables -A INPUT -p tcp --tcp-flags ALL SYN,FIN -j LOG
--log-prefix "SCAN SYN FIN "
itype and icode
Both the itype and icode options match specified numeric values within the 8-bit ICMP type and code fields, respectively, of the ICMP header. For example, to test for ICMP fragmentation-needed packets within a Snort rule, we would use the options itype: 3; icode: 4;. The specific numeric values that map to the various ICMP types and codes are defined in RFC 792 (see http://www.faqs.org/rfcs/rfc792.html). The iptables ICMP-handling code supports matching against the type and code fields within the ICMP header via the arguments -p icmp --icmp-type type/code, where type/code is the proper ICMP message type spelled out (i.e., source-quench) or its equivalent numeric value. A complete list of all ICMP message types supported by iptables can be obtained by executing # iptables -p icmp -h (this output is quite long and is thus not included here), and their corresponding numeric values can be found within the icmp_codes[] array in the extensions/libipt_icmp.c file within the iptables sources.
Both the Snort itype and icode options support ranges of ICMP types and codes through the use of the < and > operators. For example, to match against all ICMP messages that have a type greater than 10 and code less than 30, one would use itype: >10; icode: <30; within a Snort rule. Unfortunately, the iptables ICMP match does not allow the notion of ranges for the ICMP type or code fields, but it should be noted that no default Snort rules use an itype range, and less than one percent use an icode range.
The following example iptables rule drops all ICMP source-quench messages:
[iptablesfw]# iptables -A INPUT -p icmp --icmp-type 4/0 -j DROP
ttl
The ttl option allows Snort to match against the Time-to-Live (TTL) value in the IP header. The ttl option is quite flexible and allows the TTL header value to be compared against a specified integer value where the supported comparisons are less than, equal to, or greater than.
For example, to match a TTL value in the IP header that is exactly 30, the Snort rule option ttl:30; would be given. To match only if the TTL value is less than 30, the option ttl:<30; would suffice, and finally, to match only if the TTL value is greater than 30, we would include ttl:>30;. These operations are supported by iptables with its TTL match via the arguments: -m ttl --ttl-lt value, -m ttl --ttl-eq value, and -m ttl --ttl-gt value, as displayed in the iptables help output:
[iptablesfw]# iptables -m ttl -h
TTL match v1.3.7 options:
--ttl-eq value Match Time-to-Live value
--ttl-lt value Match TTL < value
--ttl-gt value Match TTL > value
The iptables TTL match is only available if CONFIG_IP_NF_MATCH_TTL is enabled within the kernel configuration file. An example iptables rule that detects and logs all IP packets with a TTL value of zero can be built as follows:
[iptablesfw]# iptables -A INPUT -p ip -m ttl --ttl-eq 0 -j LOG --log-prefix "ZERO TTL
TRAFFIC "
tos
The tos option instructs Snort to inspect the Type Of Service (TOS) bits within the IP header, and this option is relatively simple in Snort since it can only accept a numeric value with an optional ! to negate it. This option is supported by the iptables TOS match with the arguments -m tos --tos value. The TOS match also supports negation, as displayed in the help output:
[iptablesfw]# iptables -m tos -h
TOS match v1.3.7 options:
[!] --tos value Match Type of Service field from one of the
following numeric or descriptive values:
Minimize-Delay 16 (0x10)
Maximize-Throughput 8 (0x08)
Maximize-Reliability 4 (0x04)
Minimize-Cost 2 (0x02)
Normal-Service 0 (0x00)
The example command below logs all IP packets that have a TOS value of 16 (Minimize-Delay):
[iptablesfw]# iptables -A INPUT -p ip -m tos --tos 16 -j LOG --log-prefix "MIN-DELAY
TOS "
ipopts
The ipopts Snort option allows searching criteria to be applied to the options portion of the IP header. Although IP options