Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    how can i block a string in a packet?

    Scheduled Pinned Locked Moved
    IDS/IPS
    3
    4
    216
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      madmaxpr
      last edited by

      Hi,
      I run some game servers and from time to time they get hit with dos/ddos based attacks but we are lately seeing the attack packets end in the same text string, it would be nice to filter based on the strings they are using.

      Is there a guide or something I can use to help setup a rule that could block based on the content ?

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @madmaxpr
        last edited by

        @madmaxpr
        The first package that comes to mind is Suricata/Snort.
        You will need to write your own custom rules of which there are many examples on the Internet that instruct how to do so.
        The packets will need to be unencrypted, in other words, the Suricata engine will need to see the packet in clear text and analyze the payload in order to determine if it matches your custom signature.
        If the packets arrive wrapped in TLS....you're out of luck.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        M 1 Reply Last reply Reply Quote 0
        • M
          madmaxpr @michmoor
          last edited by

          @michmoor Thanks, we are familiar with snort and have that in place already but wanted more direction to some examples online using snort and implementing it.

          The packets we see are luckily unencrypted :)

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            A quick Google search with this term: "writing snort rules examples" yields a ton of results. Here are a few of them--

            https://www.sapphire.net/security/snort-rules-examples/
            https://cyvatar.ai/write-configure-snort-rules/
            https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/snort-rules/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post