Network Security: Detailed info on Re: [Snort-users] snort_inline (content/replace) won't let me prove it's

Subject:	Re: [Snort-users] snort_inline (content/replace) won't let me prove it's cool :(
Date:	Mon, 24 Apr 2006 07:53:08 -0500

Your content match has to be be exactly the same length as the data
that you are replacing  it with, oh how very uncool of us not wanting
to break TCP/IP and everything ;-)
Regards,

Will

On 4/24/06, John Smith <genericjohnsmith@gmail.com> wrote:

OK, here's the situation. I'm doing a demo about setting up
snort_inline but I wanted a spicy example of the rewrite rule to show
that snort_inline can get rid of TRIVIAL covert channels (It obviously
can't handle real ones, but that's fine). So if you look at your
standard ping packet from windows or linux it has the same pattern in
the payload after the time stamps. For linux it is like hex 08 09 0a
0b etc to 35 I think. So what I want to do is say that (assuming
linux) any ICMP packet which doesn't have have that specific "known
good" pattern should instead be replaced. (Obviously I'm forming the
solution in this way because snort inline won't let me use regexes).
So what I *think* I should be doing is
content:!"|08 09 0a....35"; replace:"0000...0";
to just overwrite everything with hex 30 (ascii zero).

But it isn't replacing on a ping which has data inside it. If I don't
use the ! it replaces for a regular ping packet. I tried testing the
content:! rule by doing something like
content:!"|ff|"; replace:"0";
but that doesn't work either, so what is the content:! rule really
doing/matching?

Thanks!

John


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmdlnk&kid0709&bid&3057&dat1642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?listsnort-users



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith Re: [Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, Will Metcalf <= Re: [Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith

Previous by Date:	[Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith
Next by Date:	Re: [Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith
Previous by Thread:	[Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith
Next by Thread:	Re: [Snort-users] snort_inline (content/replace) won't let me prove it's cool :(, John Smith
Indexes:	[Date] [Thread] [Top] [All Lists]