Introduction to Layer 7-filter

Presenter: Andrzej Bober

Questions

What is and why we need L7 Filter How L7 works Regular expressions - example How to apply L7 on Mikrotik router Advantages and disadvantages

Traffic marking
Whatever we try to achieve implement some security rules !andwidth control or any accounting "irst o" all we need to de"ine criteria on which we will classi"y our interesting tra""ic "rom this "irst step depends the whole value o" our con"iguration#

Traffic classification field

IP Packet ToS Protocol Src IP address Dst IP address

TCP/UDP Packet Src Port Dst Port Data

Analyse packet flow content

Recognise any tra""ic $rotocols File types Malware Almost %&' pattern ready

Analyse connections

L7 matcher !y de"ault searching "or pattern at the "irst %' packets or (k) whichever is smaller *this value can not !e changed+# Any match made within this time is applied to the rest o" the connection as well#

Traffic flow
simplified diagram
,nput ,nter"ace $R-R./0,12 Mangle 1A0 ,1$/0 Mangle Firewall F.RWAR3 Mangle Firewall ./0$/0 Mangle Firewall $.40R./0,12 Mangle 1A0 .utput ,nter"ace

Best place to apply

Most o" patterns to correct work need to see !oth sides o" connection that is why the !est place to apply is on "orwarding chain#

Regular -xpressions
L7 uses regular expressions to investigate the content within an individual connection. Regular expression is text string for descri ing a search pattern. !earching examples" 5hello5 messages such as 5((' "tp server ready5 56 ok5 or 5H00$7%#% ('' ok5#

Regular #xpressions
8uick re"erence chart
9:; *caret+ Matches the !egining o" input 9<; Matches the end o" input 9#; Matches any single character 9=; ' or % occurrences o" proceeding string 96; *star+ ' or more occurrences o" preceding string 9>###?; Matches any on the enclosed characters e#g# ca>tr? matches cat and car 9@; *pipe+ Logical 9or; match either the part on the le"t side or the part on the right side

Regular #xpression
$seful things

>Ax'B-Ax'd -C? printa!le characters including whitespace >Ax'B-Ax'd ? any whitespace >D-C? non-whitespace printa!le characters

%ow to write own pattern

Find and read speci"ications "or the protocol you wish to match# For internet standard check RFEs i" it is proprietary protocol make general we! searching "or reverse-engineering speci"ication# /se any network sni""er *e#g# Wireshark+ to capture and watch packets o" this protocol go !y in a typical session o" its use# Write a pattern that will relia!ly match one o" the "irst "ew packets that are sent in your protocol# 0est it#

&T' pattern
:(('>Ax'B-Ax'd -C?6"tp@FF%>Ax'B-Ax'd -C?6password

&T' connection

Looking for pattern(

$attern li!raries can !e "ound onG httpG77protocolin"o#org7wiki7MainH$age httpG77l7-"ilter#source"orge#net7protocols 4cript "or Mikrotik with common programs listG www#mikrotik#com7download7l7-protos#rsc

Layer 7 ) *L+ configuration

0o de"ine strings you will !e looking "or add Regexp strings to the protocols menu# 7ip "irewall layer7-protocol addI 0hen apply de"ined protocols in "irewallG

7ip "irewall "ilter add layer7-protocolI For tra""ic markingG 7ip "irewall mangle add layer7-protocolI

,in ox configuration

&irewall and -angle

#ncrypted traffic
L7 do not work on 44L tunnel this is !ecause the only clear text packet "ollowing the 0E$7,$ handshake is the 44L server certi"icate# .ne thing you might try is to look "or criteria in the certi"icate that is you might decide not to trust individual certi"ication authorities#

!ummary
Advantages Any traffic High accuracy Distinguish packets working on the same port Disadvantages CPU consumption Can not recogni e encrypted traffic

References

L7-"ilter proJect we!siteG httpG77l7-"ilter#source"orge#net7 )locking protocols at Layer 7 with the L7 patch !y KLrg Harmuth