Hello!

I tried to create a rule with the raw editor but I don't understand it. Can anyone share a rule they created this way?
Thank you!

Peace,

Joseph

jgama,

What do you mean by "raw edition mode" ?
Is it when you click on the "add" button in Internet filtering that opens an emtpy "rule editing" window ??

Thomas :)

Hi Thomas,

"raw edition mode" refers to the raw rule edition plugin:
http://www.looknstop.com/En/Plugins/plugin.htm

Hi Joseph,

To edit such a rule you need to specify for each field you want to check:
- the offset position of the set of bytes to be checked (the final position depends on the field offset type you selected: ETH, IP or TCP)
- the number of bytes
- the type of comparaison (=criteria)
- the value to be compared with

A field is for instance, a check for a port number, or a check for a MAC address,... You can edit 10 fields by rules (0 to 9).

To know the position of a field you need to refer to packets format, for instance:
http://www.soft4ever.com/LooknStop/Fr/TramesetRFC.html
On this map, for field offsets:
- if you select ETH => position 0 identify the first byte of the the first yellow part (Destination ETH address)
- if you select IP => position 0 is the first byte of the green part (version)
- if you select TCP => position 0 is first byte of the second yellow part (source port)

For instance to check for specific destination MAC address:
- position type: ETH, position is 0 for UL, position is 6 for DL
- number of bytes is 6
- type of comparaison: EQUAL_VALUE1
- Value1: the MAC address you want to check

To check for a destination port to be within 1024-5000:
- position type: TCP, position is 4 for UL, position is 0 for DL
- number of bytes is 2
- type of comparaison: RANGE_IN
- Value1: 1024, Value 2: 5000

If you want to do both in the same rule, select Field 0 for the first check, and Field 1 for the second.

Hope this helps,

Frederic

Wow,
that level of control just *rocks*! ;D

Now if only the application enrollment dialog ("Do you authorize it to connect?") would contain an advanced button to configure the allowed ports for an app before allowing it. That would also be more professional.

-hojtsy-

Hi Thomas,
You need to have the plugin set in order to use raw edit.

Hi Frederic,

Thank you for the reply, it had the info I needed, awesome!
Yes, LNS with SPI can really take care of many security issues, particularly with scanning techniques that can't be detected by simply inspecting packets. Remarkable!

Here is what I wanted to do: block spoofed local IP's (10.1.1.*) by checking the IP header. More specifically, if the TTL != 128 and the 1st byte of SA is 10, then it has to be spoofed.
I changed the type to IP, field 8, inbound and selected NOTEQUAL_VALUE1 and value1 as 128. Then I realized that SA starts at offset 10 and so it wouldn't work, unless I use 2 byte as field size and mask it. Anyway, I also noticed that the type changes back to ethernet when changing the field number and that the description is lost. Does it mean that a raw rule can have different fields applied to different types?
I was going to try the 2 filed size 2 byte solution with an hex value 80.00 and a mask ff.00 but when I create the rule and then, later, edit it in raw mode, the values are gone.
Please let me know what I am doign wrong.

Thank you so much,

Peace,
Joseph

I forgot something: to block local IP's either 10.1.1.* or 192.0.0.* by assuming that the TTL has to be 128 will not work if the attacker counts the hops and is capable of forging the TTL value accordingly. Most spoofing tools are very crude and don't allow to change the TTL though. Nothing is perfect. But using this method and checking the MAC addresses will help. MAC addresses are harder to spoof because there aren't many ethernet packet spoofing tools around.

Peace,
Joseph

Hi Joseph,

I've attached the rule I created following your instructions (rename it .rie).

The Source Address (SA) is supposed to start at offset 12. I didn't understand the problem with the size of the field, it can be one Byte with EQUAL_VALUE1 10.

Yes when you select a new field the Type of the offset goes back to ETH, but it's only the init value for this new field. Back to the previous field normally it should come back to IP.

Ok for the description, effectively it is lost when changing the field number. I will fix it.

I also noticed that changing the Criteria causes the offsets to re-initialize (but they are correctly saved when changing from one field to another one). I will also fix that.

Regards,

Frederic