• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1This module matches a given string by using some pattern matching strategy. It requires a linux kernel >= 2.6.14.
2.TP
3\fB\-\-algo\fP {\fBbm\fP|\fBkmp\fP}
4Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morris)
5.TP
6\fB\-\-from\fP \fIoffset\fP
7Set the offset from which it starts looking for any matching. If not passed, default is 0.
8.TP
9\fB\-\-to\fP \fIoffset\fP
10Set the offset up to which should be scanned. That is, byte \fIoffset\fP
11(counting from 0) is the last one that is scanned and the maximum position of
12\fIpattern\fP's last character.
13If not passed, default is the packet size.
14.TP
15[\fB!\fP] \fB\-\-string\fP \fIpattern\fP
16Matches the given pattern.
17.TP
18[\fB!\fP] \fB\-\-hex\-string\fP \fIpattern\fP
19Matches the given pattern in hex notation.
20.TP
21\fB\-\-icase\fP
22Ignore case when searching.
23.TP
24Examples:
25.IP
26# The string pattern can be used for simple text characters.
27.br
28iptables \-A INPUT \-p tcp \-\-dport 80 \-m string \-\-algo bm \-\-string 'GET /index.html' \-j LOG
29.IP
30# The hex string pattern can be used for non-printable characters, like |0D 0A| or |0D0A|.
31.br
32iptables \-p udp \-\-dport 53 \-m string \-\-algo bm \-\-from 40 \-\-to 57 \-\-hex\-string '|03|www|09|netfilter|03|org|00|'
33.P
34Note: Since Boyer-Moore (BM) performs searches for matches from right to left and
35the kernel may store a packet in multiple discontiguous blocks, it's possible
36that a match could be spread over multiple blocks, in which case this algorithm
37won't find it.
38.P
39If you wish to ensure that such thing won't ever happen, use the
40Knuth-Pratt-Morris (KMP) algorithm instead.  In conclusion, choose the proper
41string search algorithm depending on your use-case.
42.P
43For example, if you're using the module for filtering, NIDS or any similar
44security-focused purpose, then choose KMP. On the other hand, if you really care
45about performance \(em for example, you're classifying packets to apply Quality
46of Service (QoS) policies \(em and you don't mind about missing possible matches
47spread over multiple fragments, then choose BM.
48