Jump to content

Linux - Replace Traffic


Mr-Protocol
 Share

Recommended Posts

I was reading the snort manual and it talked about the ability to replace matched content in packets before they are sent on the network.

Example:

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)

Additionally, Jed Haile’s content replace code allows you to modify packets before they leave the network. For

example:

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)

alert udp any any <> any 53 (msg: "udp replace"; content: "yahoo"; replace: "xxxxx";)

These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 traffic looking for yahoo. Once they

are found, they are replaced with BET and xxxxx, respectively. The replace pattern and content can be of different

lengths. When the replace pattern is longer than the content, the replace pattern gets truncated and when the replace

pattern is shorter than the content, first few bytes of the content (equivalent to the length of the replace pattern) are

replaced.

Windows equivalent of it would be I think WPE Pro with it's packet filters. I used to use those to cheat on some online games by modifying "spellcast_lvl1" with the code for "spellcast_lvl100" sort of thing.

I was wondering what (assuming it there is something out there I haven't heard of) that does this without a full blown install and config of snort.

Edit:

ettercap filters

I can use ettercap filters to do such things. But now my question is how to I get it to work properly.

My Goal:

Run a tor exit node (relay node), run an ettercap filter to modify the bittorrent traffic signatures coming through my tor exit node to drop the packets. I want to keep those bittorrent users off my node.

Edited by Mr-Protocol
Link to comment
Share on other sites

ettercap filters are wonkey ...

you can use transparent proxy with say squid/apache/mod rewrite or use my ugly script

http://forums.remote-exploit.org/programmi....html#post94904

But yes you present a really good point.. snort would be a really great non HTTP based 'proxy' .. ill look around and see if anybody has done anything with this... very interesting stuff thanks !

Link to comment
Share on other sites

  • 3 weeks later...

I'm interested in such a technology to implement for example in a Linux Core ISP router with iptables or one with BSD + pf to help deal with viruses, and generally any problem that would be too hard to fix on every users' station that generates traffic through our router. That would need performance as well - no dealy for packets.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...