[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] INSPECT Code for HTTP

To: Dameon Welch-Abernathy <dwelch@hotmail.com>
Subject: Re: [FW1] INSPECT Code for HTTP
From: Nancy Velie <nvelie@sportsline.com>
Date: Thu, 02 Mar 2000 09:55:03 -0500
CC: fw-1-mailinglist@lists.us.checkpoint.com
References: <20000302070734.57676.qmail@hotmail.com>
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com



Thank you Dameon for making this available to everyone.    Kinda gives me an
idea...since there's no known central place to find any info on INSPECT, how 
about
starting one?  There have been a number of people on this list that have 
mentioned
writing inspect code for this or that.  It could be very helpful if everyone
contributed these examples to a central repository (oh say, on Phoneboy's site
:) ).  There's nothing like examples when you're trying to muddle through 
:something
that's poorly documented.  Any perls of wisdom about writing INSPECT code can 
also
be contributed.  Collectively, there's probably more knowledge on this list 
about
INSPECT than we realize.

Anyone interested?

-N

Dameon Welch-Abernathy wrote:

> As part of the thread about Dynamic Packet Filters versus Stateful
> Inspection, I mentioned that wrote some INSPECT code that statefully
> inspected HTTP. Some of you were interested in this.
>
> Note that I wrote this around the 4.0SP3 timeframe. It worked then. But as
> with all things INSPECT, it may or may not work for you with your version
> nor may it work in a future build of FireWall-1. It's also not undergone any
> sort of QA or security analysis. I wrote it primarily to prove I could write
> INSPECT code. It should serve as an example to anyone who is brave enough to
> try.
>
> Accepts aren't logged. This is somewhat by design. Rejects are logged under
> rule 0. This is because this code runs in the rule 0. Also note this allows
> HTTP anywhere, which probably isn't desirable either.
>
> -- PhoneBoy
>
> // This is inspect code to verify that an actual HTTP request is happening.
> // It is pretty simplistic, actually, but at least you get an idea of how
> // INSPECT works.
> //
> // Written by Dameon D. Welch-Abernathy
> //
> // This code has not been tested on a production firewall. Not even a little
> // bit. Use at your own risk.
>
> // These are the first few characters of legitimate HTTP Commands
>
> #define HTTP_GET_MAGIC  0x47455420 /* "GET " */
> #define HTTP_HEAD_MAGIC 0x48454144 /* "HEAD" */
> #define HTTP_POST_MAGIC 0x504f5354 /* "POST" */
>
> // This is the table I use to track HTTP connections
>
> http_table = dynamic {} expires 60;
>
> // Match the data portion of the packet if the first few bits of the DATA
> // portion of the packet are proper HTTP Commands
>
> #define pb_http_match ( not_first and ( \
>                 [TCPDATA,b] = HTTP_GET_MAGIC or \
>                 [TCPDATA,b] = HTTP_HEAD_MAGIC or \
>                 [TCPDATA,b] = HTTP_POST_MAGIC ) )
>
> // This macro will inspect all HTTP packets after it has passed through
> // the rulebase. In the .pf file, it is referenced around the same place
> // "rule 0" stuff is (e.g. anti-spoofing)
>
> // The logic is this:
> //
> // If the packet is tcp, has a destination port that is HTTP,
> // and either:
> //
> // 1. Exists in http_table (i.e. a pre-verified HTTP session)
> // 2. Matches an HTTP request
> // 3. Contains no data
> // 4. Is a FIN/RST packet (in this case, remove the entry from http_table)
> //
> // then accept the packet. Drop packets that are tcp and destined for an
> // HTTP port (they should have been caught above). If the packet originates
> // from the http server and is FIN/RST (most of them are), then we want to
> // remove the entry from the http_table, too.
>
> #define pb_http_prologue { \
>         accept ( \
>                 tcp, dport in http_port_tab, ( \
>                         ( <src,sport,dst> in http_table ) or \
>                         ( pb_http_match, \
>                                 record <src,sport,dst> in http_table ) or \
>                         ( first ) or \
>                         ( ip_len <= 44 ) or \
>                         ( tcpdone, \
>                                 delete <src,sport,dst> from http_table ) \
>                 ) \
>                 or ( \
>                         tcp, dport in http_port_tab, log long, reject \
>                 )\
>         ); \
>         tcp, sport in http_port_tab, tcpdone, \
>                 delete <dst,dport,src> from http_table; \
> }
>
> // This is the service used in place of http (I call it http-pb).
> // Create a service of type other, the following fields need to be filled
> in:
> //
> // match: pb_http_code
> // prologue: http_port_tab = { 80, 81, 8000 }; pb_http_prologue
> //
> // List all ports you want HTTP to run on, seperated by commas.
>
> #define pb_http_code ( tcp, dport in http_port_tab )
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
> 
>================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> 
>================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] INSPECT Code for HTTP
  - From: "Dameon Welch-Abernathy" <dwelch@hotmail.com>

Prev by Date: Re: [FW1] IRC
Next by Date: Re: [FW1] HA & Content Server Recommendations..
Prev by thread: [FW1] INSPECT Code for HTTP
Next by thread: Re: [FW1] INSPECT Code for HTTP
Index(es):
- Date
- Thread