OK, here's the situation. I'm doing a demo about setting up
snort_inline but I wanted a spicy example of the rewrite rule to show
that snort_inline can get rid of TRIVIAL covert channels (It obviously
can't handle real ones, but that's fine). So if you look at your
standard ping packet from windows or linux it has the same pattern in
the payload after the time stamps. For linux it is like hex 08 09 0a
0b etc to 35 I think. So what I want to do is say that (assuming
linux) any ICMP packet which doesn't have have that specific "known
good" pattern should instead be replaced. (Obviously I'm forming the
solution in this way because snort inline won't let me use regexes).
So what I *think* I should be doing is
content:!"|08 09 0a....35"; replace:"0000...0";
to just overwrite everything with hex 30 (ascii zero).
But it isn't replacing on a ping which has data inside it. If I don't
use the ! it replaces for a regular ping packet. I tried testing the
content:! rule by doing something like
content:!"|ff|"; replace:"0";
but that doesn't work either, so what is the content:! rule really
doing/matching?
Thanks!
John
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
