Firewall Rules Converting Hex Match to BPF

Ask questions about dedicated servers here and we and other users will do our best to answer them. Please also refer to the self-help section for tutorials and answers to the most commonly asked questions.
Cronus
New to forums
New to forums
Posts: 12
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Thu Apr 21, 2016 10:55 am

Firewall Rules Converting Hex Match to BPF

Post by Cronus »

I got some Firewall rules that I only know how to use hex matching and string matching in iptables.
I want to convert these to BPF to free up some rules. I've read quite a bit but not sure how to exactly convert these. I am hoping someone can show me an example of one of my hex matches convert to bpf. Or perhaps all, But one would help me out tremendously and help me learn BPF Better :)
Below are my current rules all using "these hex bytes:" between 0 and 99

Code: Select all

05 ca 7f 16 9c

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d

02 04 7b 73 cc 13 02 01

71 f6 38 13 d5 42
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Firewall Rules Converting Hex Match to BPF

Post by Edge100x »

With BPF, you'll need to be more specific on where those bytes would be located in the packet. Do you have sample attack traffic?
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

Unfortunately I do not have these right now. Without them can i do a broad range how I currently do 0 to 99 in hex matching?
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Firewall Rules Converting Hex Match to BPF

Post by Edge100x »

No, you'd need to know where to specifically have it look. BPF does not support string matching across a range.
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

Gotcha, Thanks. If i get an example I"ll reply it here.
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

This is another rule I want to refine.

Currently in the panel I have Hex Bytes 5c 73 74 61 74 75 73 5c between 0 and 99

Below is the screenshot from wireshark of the pcap and it shows bytes 42-49, I try that in the firewall panel and it doesnt work.

Did I miss something?

http://i.imgur.com/OER45Ah.png
User avatar
Spray
Former staff
Former staff
Posts: 630
Joined: Wed Dec 28, 2011 10:41 pm
Location: Oregon

Re: Firewall Rules Converting Hex Match to BPF

Post by Spray »

In this case, the BPF filter would be:

Code: Select all

ip[42:4]=0x5c737461 and ip[46:4]=0x7475735c
Each line in the capture represents 16 bytes, represented by hexadecimal values. The first byte you're interested in is byte 42, and BPF allows you to specify a size of 1, 2, or 4 bytes to compare against.

To break it down:

ip - use the IP protocol
[42:4]= - start at an offset of 42 and compare against 4 bytes
0x5c737461 - The hexadecimal value you're comparing against (0x at the beginning denotes that it's a hex string)

"and" is used to concatenate the two expressions.
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

That did not work. The traffic is blocked now and not getting through. This makes alot of sense and I cannot see whats wrong hmm
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Firewall Rules Converting Hex Match to BPF

Post by Edge100x »

It does not appear that you quoted a capture that shows the entire IP packet. If you use the ip[] functionality, it is based on the start of the IP header. The captures in our control panel show the packet starting with the IP header.

Wireshark should have a mechanism for showing the whole packet, but if it doesn't, you could also base your checks on the start of a different header, such as by using udp[] or tcp[].
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

Forgive my noobness but is this not the entire ip packet?

http://i.imgur.com/jnhobYy.png

Starts with IG Bit, then has address, type, src, dst, etc then the data part which im trying to match against is the last few bits.

Below is what I found by trial and error to work. But I wanted to get bpf working with this rule as part of my learning :)

http://i.imgur.com/YADBlvw.png
User avatar
Edge100x
Founder
Founder
Posts: 12945
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

Re: Firewall Rules Converting Hex Match to BPF

Post by Edge100x »

It looks like it is starting at the ethernet header instead of the IP header. Our suggested rules use the IP header as a base.
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

Trying to do a BPF Filter for the following

Code: Select all

0000   00 16 3e f1 5e 88 fe ff ff ff ff ff 08 00 45 00  ..>.^.........E.
0010   00 4a b9 4f 40 00 f3 11 54 9d 1f b0 9e 46 4a 5b  .J.O@...T....FJ[
0020   71 64 70 8c 1e 61 00 36 e0 10 13 c3 83 80 00 01  qdp..a.6........
0030   00 00 00 00 00 01 0e 68 61 6a 6a 61 6d 73 65 72  .......hajjamser
0040   76 69 63 65 73 02 75 73 00 00 ff 00 01 00 00 29  vices.us.......)
0050   10 00 00 00 00 00 00 00                          ........
at the moment a hex wide match rule for 73 65 72 76 69 63 65 73 02 75 73 has stopped this but i'd rather get these in bpf so i can minimize the amount of rules.
User avatar
Spray
Former staff
Former staff
Posts: 630
Joined: Wed Dec 28, 2011 10:41 pm
Location: Oregon

Re: Firewall Rules Converting Hex Match to BPF

Post by Spray »

Try:

Code: Select all

ip[56:4]=0x616a6a61 and ip[60:4]=0x6d736572 and ip[64:4]=0x76696365
Cronus
New to forums
New to forums
Posts: 12
Joined: Thu Apr 21, 2016 10:55 am

Re: Firewall Rules Converting Hex Match to BPF

Post by Cronus »

Also this is from wireshark, and I believe it starts on the Ethernet Header not IP Header, I assume that changes things? Also do you know of a way to set wireshark to display on IP Header? or at least how to offset that when reading the packets?
User avatar
Spray
Former staff
Former staff
Posts: 630
Joined: Wed Dec 28, 2011 10:41 pm
Location: Oregon

Re: Firewall Rules Converting Hex Match to BPF

Post by Spray »

Cronus wrote:Also this is from wireshark, and I believe it starts on the Ethernet Header not IP Header, I assume that changes things? Also do you know of a way to set wireshark to display on IP Header? or at least how to offset that when reading the packets?
You can click on different sections of the packet in Wireshark to filter by the protocol layer.

Perhaps try using:

Code: Select all

ether[56:4]=0x616a6a61 and ether[60:4]=0x6d736572 and ether[64:4]=0x76696365
Post Reply