Jump to content

Recommended Posts

Posted (edited)

I was reading the snort manual and it talked about the ability to replace matched content in packets before they are sent on the network.

Example:

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)

Additionally, Jed Haile’s content replace code allows you to modify packets before they leave the network. For

example:

alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)

alert udp any any <> any 53 (msg: "udp replace"; content: "yahoo"; replace: "xxxxx";)

These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 traffic looking for yahoo. Once they

are found, they are replaced with BET and xxxxx, respectively. The replace pattern and content can be of different

lengths. When the replace pattern is longer than the content, the replace pattern gets truncated and when the replace

pattern is shorter than the content, first few bytes of the content (equivalent to the length of the replace pattern) are

replaced.

Windows equivalent of it would be I think WPE Pro with it's packet filters. I used to use those to cheat on some online games by modifying "spellcast_lvl1" with the code for "spellcast_lvl100" sort of thing.

I was wondering what (assuming it there is something out there I haven't heard of) that does this without a full blown install and config of snort.

Edit:

ettercap filters

I can use ettercap filters to do such things. But now my question is how to I get it to work properly.

My Goal:

Run a tor exit node (relay node), run an ettercap filter to modify the bittorrent traffic signatures coming through my tor exit node to drop the packets. I want to keep those bittorrent users off my node.

Edited by Mr-Protocol
  • 3 weeks later...
Posted

I'm interested in such a technology to implement for example in a Linux Core ISP router with iptables or one with BSD + pf to help deal with viruses, and generally any problem that would be too hard to fix on every users' station that generates traffic through our router. That would need performance as well - no dealy for packets.

Posted

Snort manuals and what not do advise that it is not really good to use that as a way to thwart virus behavior. But if you read up on snort manual it talks about it in there...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...