pass tcp any any <> any any (content: "GET /d/247048.html";content: "Host: memo.ru"; msg: "PROXY_METHOD_GET"; nfq_set_mark:0x2/0xffffffff; sid:10;)

pass tcp any any <> any any (content: "GET /news/286782/rossiya_ustroila_ocherednuyu_provokatsiyu_na_granitse_s_ukrainoyi_mid";content: "Host: censor.net.ua"; msg: "PROXY_METHOD_GET"; nfq_set_mark:0x2/0xffffffff; sid:100;)

pass tcp any any <> any any (pcre: "/\n/i"; msg: "PROXY_METHOD_GET"; nfq_set_mark:0x8/0xffffffff; sid:10208;)

iptables -t mangle -N DPI_MATCH
iptables -t mangle -A DPI_MATCH -m mark 0x2/0xfe -j CONNMARK --save-mark

iptables -t mangle -A DPI_MATCH -m mark 0x8/0xfe -m connmark --mark 0x2/0xfe -j CONNMARK --set-mark 0x98/0xfe

iptables -A FORWARD -m connmark --mark 0x98/0xfe -p tcp -j REJECT --reject-with tcp-rst

root@debian:/usr/src/linux-4.2.1# make
  CHK     include/config/kernel.release
  CHK     include/generated/uapi/linux/version.h
  CHK     include/generated/utsrelease.h
  CHK     include/generated/bounds.h
  CHK     include/generated/timeconst.h
  CHK     include/generated/asm-offsets.h
  CALL    scripts/checksyscalls.sh
  CHK     include/generated/compile.h
  CC [M]  net/bridge/netfilter/nft_reject_bridge.o
  CC      net/ipv4/netfilter/nf_reject_ipv4.o
  CC      net/ipv4/netfilter/ipt_REJECT.o
  LD      net/ipv4/netfilter/built-in.o
  CC [M]  net/ipv4/netfilter/nft_reject_ipv4.o
  LD      net/ipv4/built-in.o
  CC [M]  net/netfilter/nft_reject_inet.o
net/netfilter/nft_reject_inet.c: In function 'nft_reject_inet_eval':
net/netfilter/nft_reject_inet.c:35:4: error: too few arguments to function 'nf_send_reset'
    nf_send_reset(pkt->skb, pkt->ops->hooknum);
    ^
In file included from net/netfilter/nft_reject_inet.c:17:0:
include/net/netfilter/ipv4/nf_reject.h:9:6: note: declared here
 void nf_send_reset(struct sk_buff *oldskb, int hook, int rev);
      ^
scripts/Makefile.build:264: recipe for target 'net/netfilter/nft_reject_inet.o' failed
make[2]: *** [net/netfilter/nft_reject_inet.o] Error 1
scripts/Makefile.build:403: recipe for target 'net/netfilter' failed
make[1]: *** [net/netfilter] Error 2
Makefile:949: recipe for target 'net' failed
make: *** [net] Error 2
root@debian:/usr/src/linux-4.2.1#

  LD      net/ipv4/built-in.o
  CC [M]  net/netfilter/nft_reject_inet.o
net/netfilter/nft_reject_inet.c: In function 'nft_reject_inet_eval':
net/netfilter/nft_reject_inet.c:35:4: error: too few arguments to function 'nf_send_reset'
    nf_send_reset(pkt->skb, pkt->ops->hooknum);
    ^
In file included from net/netfilter/nft_reject_inet.c:17:0:
include/net/netfilter/ipv4/nf_reject.h:9:6: note: declared here
 void nf_send_reset(struct sk_buff *oldskb, int hook, int rev);
      ^
scripts/Makefile.build:264: recipe for target 'net/netfilter/nft_reject_inet.o' failed
make[2]: *** [net/netfilter/nft_reject_inet.o] Error 1
scripts/Makefile.build:403: recipe for target 'net/netfilter' failed
make[1]: *** [net/netfilter] Error 2
Makefile:947: recipe for target 'net' failed
make: *** [net] Error 2

int SigParseAction(Signature *s, const char *action) {
    if (strcasecmp(action, "alert") == 0) {
        s->action = ACTION_ALERT;
        return 0;
    } else if (strcasecmp(action, "drop") == 0) {
        s->action = ACTION_DROP;
        return 0;
    } else if (strcasecmp(action, "pass") == 0) {
        s->action = ACTION_PASS;
        return 0;
    } else if (strcasecmp(action, "reject") == 0) {
        if (!(SigParseActionRejectValidate(action)))
            return -1;
        s->action = ACTION_REJECT|ACTION_DROP;
        return 0;
    } else if (strcasecmp(action, "rejectsrc") == 0) {
        if (!(SigParseActionRejectValidate(action)))
            return -1;
        s->action = ACTION_REJECT|ACTION_DROP;
        return 0;
    } else if (strcasecmp(action, "rejectdst") == 0) {
        if (!(SigParseActionRejectValidate(action)))
            return -1;
        s->action = ACTION_REJECT_DST|ACTION_DROP;
        return 0;
    } else if (strcasecmp(action, "rejectboth") == 0) {
        if (!(SigParseActionRejectValidate(action)))
            return -1;
        s->action = ACTION_REJECT_BOTH|ACTION_DROP;
        return 0;
    } else {
        SCLogError(SC_ERR_INVALID_ACTION,"An invalid action \"%s\" was given",action);
        return -1;
    }
}

  - interface: eth1
    threads: 1
    cluster-id: 98
    cluster-type: cluster_flow
    defrag: yes
    buffer-size: 64535
    copy-iface: eth0
    copy-mode: ips
    use-mmap: yes

  - interface: eth0
    threads: 1
    cluster-id: 97
    cluster-type: cluster_flow
    defrag: yes
    buffer-size: 64535
    copy-iface: eth1
    copy-mode: ips
    use-mmap: yes

void RejectSendLibnet11L3IPv4TCPHTTP (Libnet11Packet *lpacket, char *devname)
{
    static u_int8_t httphead[] =
    "HTTP/1.0 302 Found\n"
    "Location: http://тутурл\n"
    "Connection:close\n"
    "Content-Length: 0\n";
    
    char ebuf[LIBNET_ERRBUF_SIZE];

    int SIZEHTTPHEAD = strlen((const char*) httphead);
    
    libnet_t *c;
    
    if ((c = libnet_init(LIBNET_RAW4, devname, ebuf)) == NULL) {
        SCLogError(SC_ERR_LIBNET_INIT,"libnet_init failed: %s", ebuf);
    	goto cleanup;
	} 
    
    if (libnet_build_tcp(lpacket->sp, 
		    lpacket->dp, 
		    lpacket->seq,
		    lpacket->ack, 
		    TH_ACK | TH_PUSH | TH_FIN, 
		    4096, 
		    0, 
		    0, 
		    20 + SIZEHTTPHEAD,
		    httphead, 
		    SIZEHTTPHEAD, 
		    c, 
		    0)<0 ) {
		SCLogError(SC_ERR_LIBNET_BUILD_FAILED,"libnet_build_tcp for http %s", libnet_geterror(c));
		goto cleanup;
	} 

   if (libnet_build_ipv4(40 + SIZEHTTPHEAD, 
			0, 
			0,
			0x4000, 
			63,
			IPPROTO_TCP, 
			0, 
			lpacket->src4, 
			lpacket->dst4, 
			0, 
			0, 
			c, 
			0) < 0) {
			SCLogError(SC_ERR_LIBNET_BUILD_FAILED,"libnet_build_ipv4 http %s", libnet_geterror(c));
			goto cleanup;
		}
    if (libnet_write(c)==-1) {
		SCLogError(SC_ERR_LIBNET_WRITE_FAILED,"libnet_write http failed: %s", libnet_geterror(c));
		goto cleanup;
	}
    
cleanup:
    libnet_destroy (c);
}

case REJECT_DIR_SRC: 

RejectSendLibnet11L3IPv4TCPHTTP (&lpacket, devname);

    copy-mode: ips

    copy-mode: ids

reject http $HOME_NET any -> $EXTERNAL_NET any (content:"8torrent.net"; http_header; content:"|2F 34 34 37 31 2D 6D 65 74 6F 64 2D 32 30 31 35 2E 68 74 6D 6C|"; http_uri; sid:26167;)

cpu family	: 15
model		: 4
model name	: Intel(R) Xeon(TM) CPU 3.40GHz
stepping	: 10
microcode	: 2
cpu MHz		: 3399.866

#!/bin/bash

DUMP="/opt/dump.csv"
API="https://raw.githubusercontent.com/zapret-info/z-i/master/dump.csv"
IPT_RULE_IP="zapret_gov"
# IPT_RULE_URL="ZAPRET_GOV_URL"
RULEFILE=/tmp/rule.txt
ZAPRET_GOV_FILE=/opt/zapret_gov.txt
GW=10.255.0.1
ACTION=$1

search_dump ()
{
	if ls $DUMP 2>/dev/null >/dev/null
	then
		true
	else
		echo "Dump not found. Rebuilding..."
		if wget $API -O- 2>/dev/null >/dev/null  >$DUMP
		then
			echo "Rebuild OK"
		else
			echo "Rebuild FAILED"
			rm $DUMP
			exit 1
		fi
	fi
}

add_rule_to_ip ()
{
	echo "Cleaning..."
	ip route flush proto 122 table 122
	echo "Build iproute from ip rules..."
	for a in $(cat $DUMP|iconv -f cp1251 -t utf8|tr ' |' ' '|tr '  '  ','|tr ';' ' '|awk '{print $1}'|sed 's/,,,/=/g'|tr '=' '\n'|sort -u|sed '/Updated:/d')
	do
		# iptables -A $IPT_RULE_IP -d $a -m ndpi --http --ssl -j $IPT_RULE_URL
	ip route add $a via $GW proto 122 table 122 >/dev/null 2>/dev/null
	done
}

iptables_zapret_gov ()
{
	ipset -F $IPT_RULE_IP
	echo "Build ipset from ip rules..."
	for a in $(cat $DUMP|iconv -f cp1251 -t utf8|tr ' |' ' '|tr '  '  ','|tr ';' ' '|awk '{print $1}'|sed 's/,,,/=/g'|tr '=' '\n'|sort -u|sed '/Updated:/d')
	do
		#iptables -t mangle -A $IPT_RULE_IP -d "$a" -j DPI
		ipset -A $IPT_RULE_IP $a >/dev/null 2>/dev/null
	done

}

add_rule_to_url ()
{
	rm $ZAPRET_GOV_FILE
	echo "Build squid3 from url rules..."
        for a in $(cat $DUMP|iconv -f cp1251 -t utf8|tr ' |' ' '|tr '  '  ','|tr ';' ' '|awk '{print $3}'|grep http|tr ',' '~'|sed 's/~~~/ /'|tr ' ' '\n'|sort -u)
        do
                echo "$a" >>$ZAPRET_GOV_FILE
        done
	service squid3 restart
}

clean_ipt_rule ()
{
	echo "Cleaning $IPT_RULE"
#	iptables -F $IPT_RULE_IP
	ip route flush proto 122 table 122
	ipset -F $IPT_RULE
}

case $ACTION in

start)
	search_dump
	add_rule_to_ip
	iptables_zapret_gov
	add_rule_to_url
	exit 0
	;;
stop)
	clean_ipt_rule
	exit 0
	;;

esac

pass tcp any any <> any any (pcre: "Host: kasparov.ru";  msg: "DPI"; nfq_set_mark:0x8/0xffffffff; sid:100000;)
pass tcp any any <> any any (pcre: "/plat/i";pcre: "/Host: hospital-vrn.ru/i";  msg: "DPI"; nfq_set_mark:0x8/0xffffffff; sid:100000;)

[root@AssHole rules]# cat rzs.rules | wc -l
16283

-------------------------------------------------------------------
Date: 12/23/2015 -- 22:38:50 (uptime: 1d, 20h 37m 20s)
-------------------------------------------------------------------
Counter                   | TM Name                   | Value
-------------------------------------------------------------------
capture.kernel_packets    | RxAFPeth11                | 1292640349
capture.kernel_drops      | RxAFPeth11                | 99035
dns.memuse                | RxAFPeth11                | 0
dns.memcap_state          | RxAFPeth11                | 0
dns.memcap_global         | RxAFPeth11                | 0
decoder.pkts              | RxAFPeth11                | 1292541286
decoder.bytes             | RxAFPeth11                | 263475058178
decoder.invalid           | RxAFPeth11                | 271
decoder.ipv4              | RxAFPeth11                | 1292536710
decoder.ipv6              | RxAFPeth11                | 5283651
decoder.ethernet          | RxAFPeth11                | 1292541286
decoder.raw               | RxAFPeth11                | 0
decoder.null              | RxAFPeth11                | 0
decoder.sll               | RxAFPeth11                | 0
decoder.tcp               | RxAFPeth11                | 876839443
decoder.udp               | RxAFPeth11                | 414943483
decoder.sctp              | RxAFPeth11                | 1
decoder.icmpv4            | RxAFPeth11                | 2138289
decoder.icmpv6            | RxAFPeth11                | 146916
decoder.ppp               | RxAFPeth11                | 131124
decoder.pppoe             | RxAFPeth11                | 0
decoder.gre               | RxAFPeth11                | 131124
decoder.vlan              | RxAFPeth11                | 268
decoder.vlan_qinq         | RxAFPeth11                | 0
decoder.teredo            | RxAFPeth11                | 5238739
decoder.ipv4_in_ipv6      | RxAFPeth11                | 0
decoder.ipv6_in_ipv6      | RxAFPeth11                | 0
decoder.avg_pkt_size      | RxAFPeth11                | 203
decoder.max_pkt_size      | RxAFPeth11                | 1514
defrag.ipv4.fragments     | RxAFPeth11                | 714
defrag.ipv4.reassembled   | RxAFPeth11                | 357
defrag.ipv4.timeouts      | RxAFPeth11                | 0
defrag.ipv6.fragments     | RxAFPeth11                | 3
defrag.ipv6.reassembled   | RxAFPeth11                | 1
defrag.ipv6.timeouts      | RxAFPeth11                | 0
defrag.max_frag_hits      | RxAFPeth11                | 0
capture.kernel_packets    | RxAFPeth01                | 1800673812
capture.kernel_drops      | RxAFPeth01                | 309073
dns.memuse                | RxAFPeth01                | 0
dns.memcap_state          | RxAFPeth01                | 0
dns.memcap_global         | RxAFPeth01                | 0
decoder.pkts              | RxAFPeth01                | 1800364746
decoder.bytes             | RxAFPeth01                | 2067953190173
decoder.invalid           | RxAFPeth01                | 5504
decoder.ipv4              | RxAFPeth01                | 1801257168
decoder.ipv6              | RxAFPeth01                | 6286011
decoder.ethernet          | RxAFPeth01                | 1800364746
decoder.raw               | RxAFPeth01                | 0
decoder.null              | RxAFPeth01                | 0
decoder.sll               | RxAFPeth01                | 0
decoder.tcp               | RxAFPeth01                | 1355973715
decoder.udp               | RxAFPeth01                | 439745241
decoder.sctp              | RxAFPeth01                | 0
decoder.icmpv4            | RxAFPeth01                | 5439384
decoder.icmpv6            | RxAFPeth01                | 1164
decoder.ppp               | RxAFPeth01                | 104799
decoder.pppoe             | RxAFPeth01                | 0
decoder.gre               | RxAFPeth01                | 104799
decoder.vlan              | RxAFPeth01                | 0
decoder.vlan_qinq         | RxAFPeth01                | 0
decoder.teredo            | RxAFPeth01                | 6285632
decoder.ipv4_in_ipv6      | RxAFPeth01                | 0
decoder.ipv6_in_ipv6      | RxAFPeth01                | 0
decoder.avg_pkt_size      | RxAFPeth01                | 1148
decoder.max_pkt_size      | RxAFPeth01                | 1514
defrag.ipv4.fragments     | RxAFPeth01                | 1921426
defrag.ipv4.reassembled   | RxAFPeth01                | 908374
defrag.ipv4.timeouts      | RxAFPeth01                | 0
defrag.ipv6.fragments     | RxAFPeth01                | 706
defrag.ipv6.reassembled   | RxAFPeth01                | 353
defrag.ipv6.timeouts      | RxAFPeth01                | 0
defrag.max_frag_hits      | RxAFPeth01                | 0
tcp.sessions              | Detect                    | 37941137
tcp.ssn_memcap_drop       | Detect                    | 0
tcp.pseudo                | Detect                    | 2950192
tcp.invalid_checksum      | Detect                    | 0
tcp.no_flow               | Detect                    | 0
tcp.reused_ssn            | Detect                    | 15447
tcp.memuse                | Detect                    | 60104928
tcp.syn                   | Detect                    | 81148684
tcp.synack                | Detect                    | 16972436
tcp.rst                   | Detect                    | 13352546
dns.memuse                | Detect                    | 0
dns.memcap_state          | Detect                    | 0
dns.memcap_global         | Detect                    | 0
tcp.segment_memcap_drop   | Detect                    | 0
tcp.stream_depth_reached  | Detect                    | 104811
tcp.reassembly_memuse     | Detect                    | 2834592462
tcp.reassembly_gap        | Detect                    | 2963
http.memuse               | Detect                    | 102358651
http.memcap               | Detect                    | 0
detect.alert              | Detect                    | 24240
flow_mgr.closed_pruned    | FlowManagerThread         | 16566667
flow_mgr.new_pruned       | FlowManagerThread         | 49902723
flow_mgr.est_pruned       | FlowManagerThread         | 19270957
flow.memuse               | FlowManagerThread         | 51085600
flow.spare                | FlowManagerThread         | 20799
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0

iptables -t mangle -A PREROUTING -m connbytes --connbytes-mode bytes --connbytes-dir both --connbytes 100000 -j TEE --gw 172.19.114.2