OpenDPI (definition of traffic types) + iptables
OpenDPI is a library for classifying traffic based on the Deep Packet Inspection (DPI) technology. The IPP2P project is no longer supported, and, as a replacement, it proposes using OpenDPI. Unlike IPP2P, whose main purpose is to determine exactly p2p traffic, OpenDPI supports a wide range of different protocols. OpenDPI was originally designed for a very low level of false positives. Unlike L7-filter, it does not require patching iptables and the kernel; works as a kernel module and xtables library. Also, protocol definitions are not a list of regexps, but modules in C, which improves performance. Recently, iptables support has been implemented for this library.
And now let's try to use OpenDPI in practice.
Go to the Downloads section of the project site. Download files opendpi-1.2.0.tar.gz and opendpi-netfilter-wrapper-1.1.tar.gz (these versions are relevant at the time of this writing). If you want to play around - examine the contents of opendpi-1.2.0.tar.gz , try building in the usual way (
We start assembly of the iptables module. You will need kernel headers and iptables. It is also necessary that certain options be set in the kernel:
Unzip opendpi-netfilter-wrapper-1.1.tar.gz and go to the opendpi-netfilter-wrapper-1.1 directory. Unpack opendpi-1.2.0.tar.gz here . Those. The opendpi-netfilter-wrapper-1.1 directory should contain the README files, ipq _ *. diff , the wrapper directory and the opendpi-1.2.0 directory. In the opendpi-1.2.0 directory, respectively, the sources of OpenDPI. Below are all the described actions in the form of commands:
Now go to the opendpi-1.2.0 directory:
and apply patches:
After that, you need to set the environment variable:
and go to the wrapper directory:
Now apply a patch to support kernel 2.6.35 (support for old kernels will not be broken). The patch was written by comparing the source code of netfilter in 2.6.34 and 2.6.35. The patch has already been sent to the developers, you can download it in this discussion thread at the office. Put the patch on the same level as the opendpi-netfilter-wrapper-1.1 directory and use it with the command:
Then you need to perform:
Now you can use the module:
Examine the available options:
Try it in action:
Possible errors during assembly:
it means you did not set the correct options in the kernel (see above)
then you are most likely using a 2.6.35 kernel or higher. It is necessary to impose the patch specified in the article above.
Ebuild for Gentoo posted here .
')
UPD: Declared list of supported protocols:
And now let's try to use OpenDPI in practice.
Go to the Downloads section of the project site. Download files opendpi-1.2.0.tar.gz and opendpi-netfilter-wrapper-1.1.tar.gz (these versions are relevant at the time of this writing). If you want to play around - examine the contents of opendpi-1.2.0.tar.gz , try building in the usual way (
./configure && make && make install ), experiment with feeding different pcap files to the OpenDPI_demo demo.We start assembly of the iptables module. You will need kernel headers and iptables. It is also necessary that certain options be set in the kernel:
- The Connection tracking events option should be enabled:
Connection tracking events
Symbol: NF_CONNTRACK_EVENTS
Location:
-> Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
-> Netfilter connection tracking support - The Connection tracking netlink interface option should be disabled:
Connection tracking netlink interface
Symbol: NF_CT_NETLINK
Location:
-> Networking support
-> Networking options
-> Network packet filtering framework (Netfilter)
-> Core Netfilter Configuration
-> Netfilter connection tracking support Unzip opendpi-netfilter-wrapper-1.1.tar.gz and go to the opendpi-netfilter-wrapper-1.1 directory. Unpack opendpi-1.2.0.tar.gz here . Those. The opendpi-netfilter-wrapper-1.1 directory should contain the README files, ipq _ *. diff , the wrapper directory and the opendpi-1.2.0 directory. In the opendpi-1.2.0 directory, respectively, the sources of OpenDPI. Below are all the described actions in the form of commands:
$ ls opendpi-1.2.0.tar.gz opendpi-netfilter-wrapper-1.1.tar.gz $ tar -xzf opendpi-netfilter-wrapper-1.1.tar.gz $ cd opendpi-netfilter-wrapper-1.1 $ tar -xzf ../opendpi-1.2.0.tar.gz
Now go to the opendpi-1.2.0 directory:
$ cd opendpi-1.2.0
and apply patches:
$ patch -p0 <../ipq_main.h.diff $ patch -p0 <../ipq_protocols.h.diff
After that, you need to set the environment variable:
$ export OPENDPI_PATH = $ (pwd)
and go to the wrapper directory:
$ cd ../wrapper
Now apply a patch to support kernel 2.6.35 (support for old kernels will not be broken). The patch was written by comparing the source code of netfilter in 2.6.34 and 2.6.35. The patch has already been sent to the developers, you can download it in this discussion thread at the office. Put the patch on the same level as the opendpi-netfilter-wrapper-1.1 directory and use it with the command:
patch -p3 <../../opendpi-netfilter-wrapper-1.1_2.6.35_v2.patch
Then you need to perform:
$ make # make modules_install # cp ipt / libxt_opendpi.so / lib / xtables
Now you can use the module:
# modprobe xt_opendpi
Examine the available options:
# iptables -m opendpi --help
Try it in action:
# iptables -A OUTPUT -m opendpi --http -j DROP # wget http://ya.ru/ - 2010-11-12 20: 57: 41-- http://ya.ru/ Connecting to 213.180.204.3:80 ... connected. HTTP request sent, awaiting response ... ^ C
Possible errors during assembly:
- If the compiler complains that it cannot find the files generated / *. H, then you do not have kernel headers. It is also possible that you did
make cleanin the kernel source directory. - If you get an error with modprobe
FATAL: Error inserting xt_opendpi (/lib/modules/2.6.34-gentoo-r12/extra/xt_opendpi.ko): Device or resource busy
it means you did not set the correct options in the kernel (see above)
- If you get an error
/opendpi/opendpi-netfilter-wrapper-1.1/wrapper/src/main.c:466: error: dereferencing pointer to incomplete type
then you are most likely using a 2.6.35 kernel or higher. It is necessary to impose the patch specified in the article above.
Ebuild for Gentoo posted here .
')
UPD: Declared list of supported protocols:
opendpi match options:
--ftp Match for FTP protocol packets.
--pop Match for Mail_POP protocol packets.
--smtp Match for Mail_SMTP protocol packets.
--imap Match for Mail_IMAP protocol packets.
--dns Match for DNS protocol packets.
--ipp Match for IPP protocol packets.
--http Match for HTTP protocol packets.
--mdns Match for MDNS protocol packets.
--ntp Match for NTP protocol packets.
--netbios Match for NETBIOS protocol packets.
--nfs Match for NFS protocol packets.
--ssdp Match for SSDP protocol packets.
--bgp Match for BGP protocol packets.
--snmp Match for SNMP protocol packets.
--xdmcp Match for XDMCP protocol packets.
--smb Match for SMB protocol packets.
--syslog Match for SYSLOG protocol packets.
--dhcp Match for DHCP protocol packets.
--postgres Match for PostgreSQL protocol packets.
--mysql Match for MySQL protocol packets.
--tds Match for TDS protocol packets.
--ddl Match for DirectDownloadLink protocol packets.
--i23v5 Match for I23V5 protocol packets.
--apple Match for AppleJuice protocol packets.
--directconnect Match for DirectConnect protocol packets.
--socrates Match for Socrates protocol packets.
--winmx Match for WinMX protocol packets.
--manolito Match for MANOLITO protocol packets.
--pando Match for PANDO protocol packets.
--filetopia Match for Filetopia protocol packets.
--iMESH Match for iMESH protocol packets.
--kontiki Match for Kontiki protocol packets.
--openft Match for OpenFT protocol packets.
--fasttrack Match for Kazaa/Fasttrack protocol packets.
--gnutella Match for Gnutella protocol packets.
--edonkey Match for eDonkey protocol packets.
--bittorrent Match for Bittorrent protocol packets.
--off Match for OFF protocol packets.
--avi Match for AVI protocol packets.
--flash Match for Flash protocol packets.
--ogg Match for OGG protocol packets.
--mpeg Match for MPEG protocol packets.
--quicktime Match for QuickTime protocol packets.
--realmedia Match for RealMedia protocol packets.
--windowsmedia Match for Windowsmedia protocol packets.
--mms Match for MMS protocol packets.
--xbox Match for XBOX protocol packets.
--qq Match for QQ protocol packets.
--move Match for MOVE protocol packets.
--rtsp Match for RTSP protocol packets.
--feidian Match for Feidian protocol packets.
--icecast Match for Icecast protocol packets.
--pplive Match for PPLive protocol packets.
--ppstream Match for PPStream protocol packets.
--zattoo Match for Zattoo protocol packets.
--shoutcast Match for SHOUTCast protocol packets.
--sopcast Match for SopCast protocol packets.
--tvants Match for TVAnts protocol packets.
--tvuplayer Match for TVUplayer protocol packets.
--veohtv Match for VeohTV protocol packets.
--qqlive Match for QQLive protocol packets.
--thunder Match for Thunder/Webthunder protocol packets.
--soulseek Match for Soulseek protocol packets.
--gadugadu Match for GaduGadu protocol packets.
--irc Match for IRC protocol packets.
--popo Match for Popo protocol packets.
--jabber Match for Jabber protocol packets.
--msn Match for MSN protocol packets.
--oscar Match for Oscar protocol packets.
--yahoo Match for Yahoo protocol packets.
--battlefield Match for Battlefield protocol packets.
--quake Match for Quake protocol packets.
--secondlife Match for Second Life protocol packets.
--steam Match for Steam protocol packets.
--hl2 Match for Halflife2 protocol packets.
--worldofwarcraft Match for World of Warcraft protocol packets.
--telnet Match for Telnet protocol packets.
--stun Match for STUN protocol packets.
--ipsec Match for IPSEC protocol packets.
--gre Match for GRE protocol packets.
--icmp Match for ICMP protocol packets.
--igmp Match for IGMP protocol packets.
--egp Match for EGP protocol packets.
--sctp Match for SCTP protocol packets.
--ospf Match for OSPF protocol packets.
--ipip Match for IP in IP protocol packets.
--rtp Match for RTP protocol packets.
--rdp Match for RDP protocol packets.
--vnc Match for VNC protocol packets.
--pcanywhere Match for PCAnywhere protocol packets.
--ssl Match for SSL protocol packets.
--ssh Match for SSH protocol packets.
--usenet Match for USENET protocol packets.
--mgcp Match for MGCP protocol packets.
--iax Match for IAX protocol packets.
--tftp Match for TFTP protocol packets.
--afp Match for AFP protocol packets.
--stealthnet Match for StealthNet protocol packets.
--aimini Match for Aimini protocol packets.
--sip Match for SIP protocol packets.
--truphone Match for Truphone protocol packets.Source: https://habr.com/ru/post/108280/
All Articles