Application Layer String Matching with iptables

One of the most important features for any IDS is the ability to search application layer data for telltale sequences of malicious bytes. However, because the structure of applications is generally much less strictly defined than that of network or transport layer protocols, intrusion detection systems must be flexible when it comes to inspecting application layer data.

For example, when inspecting application layer communications, if an IDS assumes that certain sequences of bytes are inviolate (and may therefore be ignored), then changes in the application layer protocol might invalidate this assumption and cause the IDS to miss attacks that are delivered in unexpected ways. A vulnerability in a particular implementation of such an application layer protocol might be exploitable by manipulating the sections within the protocol that the IDS skips.

We therefore need a flexible mechanism for inspecting application layer data. The ability to perform string matching against the entire application payload in network traffic is a good first step and is provided by the iptables string match extension.

NOTE This is the reason why I emphasized enabling string match support in "Kernel Configuration " on page 14. String matching will also be leveraged heavily in Chapters 9, 10, and 11, when we discuss fwsnort.

The iptables string match extension allows packet payload data to be searched for matching strings using the fast Boyer-Moore string search algorithm (see This algorithm is commonly used by intrusion detection systems, including the champion open source IDS Snort (, because of its ability to quickly match strings within payload data.

NOTE String matching has been available in iptables since the 2.4 kernels, but an architectural change with respect to how packet data structures were stored within kernel memory (sk_buff structures were allowed to span non-contiguous memory) broke the string matching feature in kernels 2.6.0 through The string match extension was rewritten for the 2.6.14 kernel, and it has been included within the kernel ever since.

Was this article helpful?

0 0

Post a comment