Find the answer to your Linux question:
Results 1 to 6 of 6
I'm trying to make something like an IDS or firewall, it should work by analyzing incoming and outgoing packets and reject some packets. I'm currently using libpcap to process incoming ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2010
    Posts
    5

    libpcap, reject packets


    I'm trying to make something like an IDS or firewall, it should work by analyzing incoming and outgoing packets and reject some packets.
    I'm currently using libpcap to process incoming and outgoing packets, I can get any packet needed but the problem is that I'm not able to reject any packets.
    by rejecting packets, I mean not to let the packet get to destination, for example, I don't want some packets get to Apache, or vice versa, I don't want some packets produced by Apache get to client.
    Is it possible to do this with libpcap?

  2. #2
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,397
    I think you would have to do this in the kernel in the network driver software. I'm not sure it can be done in user space, though I could well be incorrect in that assumption.

    Also, this seems a lot like a school project... Please don't ask for help with school work here. It is not allowed by the terms of use for these forums that you agreed to when you signed up.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  3. #3
    Just Joined!
    Join Date
    Nov 2010
    Posts
    5
    Thanks for your reply but I don't want to do much, I just want to build an IDS, something like Snort.
    It is not a school project, I'm trying to make an IDS for myself using Qt as GUI, and if it works well (at least better than Snort) I will share source code for every one.

    I don't think Snort does the work in kernel space of software driver!

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,397
    Quote Originally Posted by OmidPLuS View Post
    Thanks for your reply but I don't want to do much, I just want to build an IDS, something like Snort.
    It is not a school project, I'm trying to make an IDS for myself using Qt as GUI, and if it works well (at least better than Snort) I will share source code for every one.

    I don't think Snort does the work in kernel space of software driver!
    An IDS is not, in my opinion, in the category of "not doing much"... Intrusion detection systems are, by necessity, highly sophisticated due to their need to detect very subtle attempts to penetrate the system from a numerous set of vectors. Don't kid yourself. This is NOT easy to do!
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

  5. #5
    Just Joined!
    Join Date
    Nov 2010
    Posts
    5
    Quote Originally Posted by Rubberman View Post
    An IDS is not, in my opinion, in the category of "not doing much"... Intrusion detection systems are, by necessity, highly sophisticated due to their need to detect very subtle attempts to penetrate the system from a numerous set of vectors. Don't kid yourself. This is NOT easy to do!
    You are right, it is not an easy job to do so,
    my problem is not detecting the attempts, currently I'm using some simple attacks.
    I found a way for what I was looking for, what I'm doing right now is that after finding out that the packet as attack (only for tcp/ip on port 80), I use libnet to send RST packet to source IP, it disconnects the connection and the attacker won't get result (this is what I wanted)

    the other problem I have, is that my web-server (Apache) processes the packet but Of course the result is not seen by attacker. For performance reasons, I think it would be much better not to let the packet get to web-server. Can it be done in user space? If yes, how?

    thanks in advance

  6. #6
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,397
    Glad to hear that you are making some progress in this. One possible suggestion is that your application listens on port 80 (or other ports as desired) and zaps attacks as you are now. Your web server should listen on another port, and if packets are valid as processed by your application, it then forwards the packets to the port that your server is listening on. That will give you the following benefits:

    1. Nothing that you don't want will get to your web or other server (depending upons ports you intercept).
    2. This can all be done in user space - no kernel modules required.
    3. You then have what is effectively a packet-sniffing firewall/proxy server.

    I'd be happy to review your code any time you like. You can post it here and get feedback from myself as well as a number of other Linux programming wizards that lurk on the forums. Just remember Rubberman's first law of software engineering - it is easier to add performance to a well-designed program than to fix one that is not.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •