Capturing a packet from ethernet and transfering to Apache

[abakash]

Hi,

  I am working on a firewall and need to capture packets from the ethernet and then do some analysis on it before sending it to Apache application. I am been able to capture the packets but they are also received by the Apache at the same instant. But I need to analyze the packet before it is received by apache. Any help in this regard would be highly appreciated.

 

Abakash

 

[trq]

Are you writting the firewall using iptables?

[steviewdr]

Im not sure you can do it - as you said - apache gets the packet at the same instant. Iptables would be a better level to go down to, but Im not sure if it has enough low level detail that you are looking for.

 

Why do you want to analyse the visitor before it hits apache? I suggest you use a proxy which can hand off the request to a certain webserver on a local port etc.

Is this for ssl certs etc.?

 

-steve

[abakash]

Actually what I am trying to do is, running a Web Application Firewall(WAF) and the Apache server on the same system on the same port(80). So, when a packet comes, it needs to be analyzed by the WAF before passing it to the Apache server module. But being running on the same port, packet is received by both at the same instant. Which is not at all helping my cause. I am stuck and don't know how to proceed. Any help would be great!!!!

[steviewdr]

I think you need to look at mod_security which plugs into apache as a module.

 

-steve

[trq]

One solution would be to have Apache listen on a different port. When a request comes in for port 80, have your firewall inspect it and then if valid forward it to whatever port Apache is running on.

[abakash]

Ya, I was thinking about it. But, I am not sure how easily I can forward the packet to another port? I felt i would need to store the packet, then modify the port number in the packet and then forward it.

 

Can this work? Can u help me with some tutorial with how the packet can be stored and then modified?

 

or is there any better way of doing it?

 

Thanks

 

Abakash

[trq]

I really can't see a solution at the level you are attempting to do this. IMO you would need to use iptables and get this done well before you get to the webserver stage.

 

Iptables is a huge subject in itself, there is a simple tutorial here but really, Id'e find a decent sys admin.

[steviewdr]

If your using any decent Web Application Firewall(WAF) - it'll have an integration how-to for apache.

 

-steve

[abakash]

Actually I am making the firewall!!!!!! So, kind of need to know how to integrate!!!!!

[trq]

Actually I am making the firewall!!!!!!

 

What are you making the firewall with? Not PHP? A firewall should be well before a web server. read the link I posted about iptables, you use iptables to build firewalls.