2. Error in compilation of ipt_sample.c (also take care of ipt_sample.h**) Did I include it or saved it where it should be?
07/23/07||23:56
3. Definitions of the functions used in ipt_sample is changed. MAKE CHANGES ACCORDINGLY.
07/25/07||23:32
4. I checked all header files regarding the code which is not commented out. The thing is it's not being compiled, and I doubt its because I have to put it in the Kernel, make changes in Config file and then have to go for make or something. Try this steps first before continuing anything. Then work on it later.
"There is nothing what you and I together can't do !" ...toink!
08/06/07||23:46
5. Trying to compile kernel source. I think (not sure) may be something else to compile iptables source only.... but may be not, I guess. WIll do it tomorrow.
08/08/07||00:56
6.Compiled ipt_sample.c successfully. Not its not taking into 'insmod' giving error, FATAL : Module ipt_sample not found. Try to work on it tomorrow night.
08/09/07||00:25
7. insmod worked after "su -". Now packets are not being dropped
08/16/07||22:45
8. Netfilter's kernel modules should be kept here after compiling.
/lib/modules/2.6.18.2-34-default/kernel/net/ipv4/netfilter
9. iptables -I PREROUTING -t mangle -m sample --src-ip 127.0.0.1 --dst-ip 127.0.0.1 -j ACCEPT
08/22/07||00:39
10. struct iphdr(and others)is defined in /include/linux/
11. include/linux/in.h
****
/* Standard well-defined IP protocols. */
enum {
IPPROTO_IP = 0, /* Dummy protocol for TCP */
IPPROTO_ICMP = 1, /* Internet Control Message Protocol */
IPPROTO_IGMP = 2, /* Internet Group Management Protocol */
IPPROTO_IPIP = 4, /* IPIP tunnels (older KA9Q tunnels use 94) */
IPPROTO_TCP = 6, /* Transmission Control Protocol */
IPPROTO_EGP = 8, /* Exterior Gateway Protocol */
IPPROTO_PUP = 12, /* PUP protocol */
IPPROTO_UDP = 17, /* User Datagram Protocol */
IPPROTO_IDP = 22, /* XNS IDP protocol */
IPPROTO_DCCP = 33, /* Datagram Congestion Control Protocol */
IPPROTO_RSVP = 46, /* RSVP protocol */
IPPROTO_GRE = 47, /* Cisco GRE tunnels (rfc 1701,1702) */
IPPROTO_IPV6 = 41, /* IPv6-in-IPv4 tunnelling */
IPPROTO_ESP = 50, /* Encapsulation Security Payload protocol */
IPPROTO_AH = 51, /* Authentication Header protocol */
IPPROTO_PIM = 103, /* Protocol Independent Multicast */
IPPROTO_COMP = 108, /* Compression Header protocol */
IPPROTO_SCTP = 132, /* Stream Control Transport Protocol */
IPPROTO_RAW = 255, /* Raw IP packets */
IPPROTO_MAX
};
12.
iptables -D
rmmod ipt_sample
13. latest ipt_sample module got SUCCESSFULLY compiled with all 3 protocols support ICMP, TCP, UDP.
Now all I need is copy it to the kernel modules directory and insmod and write some good chains and SEE THE MAGIC !!
08/26/2007||01:51
14.
iptables -F PREROUTING -t mangle
iptables -L PREROUTING -t mangle
iptables -I PREROUTING -t mangle -m sample --src-ip 127.0.0.1 --dst-ip 130.86.241.250 -j ACCEPT
15. Jumbopacket
Sniffing the data >= 9000 Bytes which current sniffers dont provide.
16. One more thing, I think the iptables or skb has to be configured to get packets from Wifi Card !! I think it supports only Ethernet card ! Double check on this thing.
09/05/07||21:13
17. Made changes in the options. Can skip either of the IPs for src/dst and that works great, but it only takes "ping localhost"
and not any remote IP like "ping google.com". I think skb is configured to use Ethernet and not Wifi(I guess!!). and trying to find the net_device structure to get the info about the Device skb is using.
09/07/07||01:19
18. Module ipt_sample can track all traffic ICMP, UDP, TCP. The problem is I was inserting the chain on the wrong table.
iptables -I PREROUTING -t mangle -m sample --src-ip 127.0.0.1 --dst-ip 127.0.0.1 -j ACCEPT can track "ping localhost" but it can't track "ping google.com" as ping request for google.com arises from local machine so it appears on OUTPUT chain first and it doesnt go through PREROUTING. The reply can be matched as PREROUTING but it has the SRC and DST addresses altered.
To track "ping google.com" the correct rule should be "iptables -I POSTROUTING -t mangle -m sample --src-ip
Now at this point of time everything works for ACCEPT and DROP target too!!! HURRAYYYYYYYYYY.....
one thing came in my mind... "There is nothing what you and I together can't do!"
09/12/07||01:14
19. Installed L7-Filter
I got L7-Filter to apply Regex on Application Layer Data to classify traffic.
I got three patch files to apply patch to the kernel and to the iptables
1. netfilter-layer7-v2.13
--> Applied patch "kernel-2.6.18-2.6.19-layer7-2.9.patch" to the kernel using
Copied the patch file to the "/usr/src/linux-2.6.18.2-34" directory and then
#cd /usr/src/linux-2.6.18.2-34
#patch -p1 <> Applied patch "iptables-for-kernel-pre2.6.20-layer7-2.13.patch" to the iptables using
Copied the patch file to the directory "/root/Desktop/iptables-1.3.6" and then
#cd /root/Desktop/iptables-1.3.6
#patch -p1 <> Then I did
#chmod +x extensions/.layer7-test"
-->Installed the iptables-1.3.6
#cd /root/Desktop/iptables-1.3.6/
#make KERNEL_DIR=/usr/src/linux-2.6.18.2-34
#make install KERNEL_DIR=/usr/src/linux-2.6.18.2-34
2. l7-protocols-2007-07-27.tar.gz
#tar -C /etc/ -xvf l7-protocols-2007-07-27.tar.gz
#cd /etc/
#mv l7-protocols-2007-07-27 l7-protocols
20. And compiled the kernel again
#cd /usr/src/linux-2.6.18.2-34
#make
Choose option N when asked for layer7 module !
It seems like it got successfully installed as it displayed help message on
#iptables -m layer7 -h
Now let start working on Matching APPLICATION LAYER DATA
09/14/07||21:28
21. Figure out how you can apply REGEX on Layer 7 Data. Its been a long time (See the date above)! Now get it done withing 2-3 weeks and start working on Report and HUNTING JOB!
10/19/07||02:05
21. For Application Level data I am thinking of doing something like
iptables -A POSTROUTING -t mangle
-m sample --src-ip SRCIP --sport SPORT --dst-ip DSTIP --dport DPORT --app APPLICATION -j ACCEPT
Where I can do a REGEX on APPLEVEL DATA and Sniff the traffic accordingly, something like packet matchingthe IPs and PORTs will scan the APPLICATION LAYER DATA or APPLIATION LAYER PROTOCOL and will do the sniffing!!
Keep it in mind and talk to Dr Ouyang !
10/22/07||00:00
No comments:
Post a Comment