Don Hughes - 2001-12-19

I have been using Regina very successfully to maintain my iptables rules, and to scan the iptables logs and Apachie logs and generate new rules.  However, I would like to implement some userspace code to block attacks on the fly.

Something like:

iptables --

-A check-attack -p tcp --dport 80 -m string --string ".ida" -j QUEUE --log-prefix "VIRUS"

Regina --

string = readqueue('iptables')
parse var string . . . . prefix . . . source_ip . . . . .
some-
  misc-
   logic
"iptables -A PREROUTING -s" source_ip "-j DROP"

So, netfilter detects some suspicious activity and queues an entry to a userspace program.  A Regina program is waiting on the queue, reads the entry, and if it decides that it represents an attack, blockes ALL further traffic from that address or, perhaps, subnet.

All the interfaces seem to be available, it is just missing some c-code glue that I am not up to implementing.  Anybody done this who would like to share?