Mr-Protocol Posted May 30, 2010 Share Posted May 30, 2010 (edited) I was reading the snort manual and it talked about the ability to replace matched content in packets before they are sent on the network. Example: alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";) Additionally, Jed Haile’s content replace code allows you to modify packets before they leave the network. For example: alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";) alert udp any any <> any 53 (msg: "udp replace"; content: "yahoo"; replace: "xxxxx";) These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 traffic looking for yahoo. Once they are found, they are replaced with BET and xxxxx, respectively. The replace pattern and content can be of different lengths. When the replace pattern is longer than the content, the replace pattern gets truncated and when the replace pattern is shorter than the content, first few bytes of the content (equivalent to the length of the replace pattern) are replaced. Windows equivalent of it would be I think WPE Pro with it's packet filters. I used to use those to cheat on some online games by modifying "spellcast_lvl1" with the code for "spellcast_lvl100" sort of thing. I was wondering what (assuming it there is something out there I haven't heard of) that does this without a full blown install and config of snort. Edit: ettercap filters I can use ettercap filters to do such things. But now my question is how to I get it to work properly. My Goal: Run a tor exit node (relay node), run an ettercap filter to modify the bittorrent traffic signatures coming through my tor exit node to drop the packets. I want to keep those bittorrent users off my node. Edited May 30, 2010 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
operat0r_001 Posted June 1, 2010 Share Posted June 1, 2010 ettercap filters are wonkey ... you can use transparent proxy with say squid/apache/mod rewrite or use my ugly script http://forums.remote-exploit.org/programmi....html#post94904 But yes you present a really good point.. snort would be a really great non HTTP based 'proxy' .. ill look around and see if anybody has done anything with this... very interesting stuff thanks ! Quote Link to comment Share on other sites More sharing options...
NetworkPro Posted June 16, 2010 Share Posted June 16, 2010 I'm interested in such a technology to implement for example in a Linux Core ISP router with iptables or one with BSD + pf to help deal with viruses, and generally any problem that would be too hard to fix on every users' station that generates traffic through our router. That would need performance as well - no dealy for packets. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted June 17, 2010 Author Share Posted June 17, 2010 Snort manuals and what not do advise that it is not really good to use that as a way to thwart virus behavior. But if you read up on snort manual it talks about it in there... Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.