CHX-i Payload rules . . HOW?? lol

Discussion in 'other firewalls' started by TECHWG, May 1, 2006.

Thread Status:
Not open for further replies.

    TECHWG Guest

    Can you explain to me how to use payload based rules ? for example like the following . . .

    1) in a connection find the string 123456 and replace it with 654321
    2) Block all inbound on port 80, but if the string open80 is typed into a open port using telnet then that string open80 should trigger a rule that allows inbound to port 80 from that IP . .

    I think these two things can be done, but they make it look sooo complicated.. Thanks guys

    If you can help me understand how to do those 2 things, then i will be able to figure out how to use the whole thing.
  2. rdsu

    rdsu Registered Member

    Jun 28, 2003

    TECHWG Guest

    This was taken from another forum SSC

    "Hi TECHWG,

    Here are a few hints on how to use the payload filtering:

    1) build your PF trigger first (Ex.: Force Allow, Incoming, TCP, SYN, Dst.Port:80) and leave the Source IP as "Any". The trigger will be activated by the payload driver when your payload filter meet your criteria.

    2) build your "Traffic stream" on the channel you want to monitor for your commands (like "open80") (Ex.: Incoming, TCP, LocalPort:23 (telnet)). If you already build your payload filter then go to the "Associated filters" tab and add it there, else:

    3) build your payload filter (for now specify only the log options)

    4) build a rule on your newly created filter (Ex.: Start: "\s" , End: "\p" , Pattern: "open80" ) the direction on each flag being "Connection flow". Choose "Reset the rule" for the number of bytes after Start exceeding 8960. Choose "Any of the pattern is found" for when to apply the actions. On your primary action you could do any Insert/Replace/Remove operations. On the secondary actions choose "Activate PF trigger" and choose your trigger from the list. You could choose "Replace Source IP in PF with Remote IP" (Ex.: if you want to open the port 80 only to the IP that sent the "open80" command)
    Choose a timeout if neccessary.

    5) go back to your traffic stream and attach this newly created filter

    6) make sure the payload driver is running

    7) when the trigger is activated you could see it in the "Packet Filters(Global)->Activated Triggers" node

    Hope this help,

    Vali "

    although i altered the situation to use my web server as the means for unlocking the other ports i want. By using things like this:

    and that trigger works really nicely. So now i can have my FTP, UltraVNC and other server ports kept completely stealth from any and all scans, but give people a link that they click and Boom . . can access all the ports i select them to see. ! I am using my Sunbelt Kerio as normal, and am using CHX-i only to lockdown my selected ports and unlock them to the right people.

    Thanks Vali
Thread Status:
Not open for further replies.