Honeypots mailing list archives
Anyone know how to use the content:! rule and replace in snort_inline?
From: "John Smith" <genericjohnsmith () gmail com>
Date: Mon, 24 Apr 2006 22:23:35 +0000
OK, so maybe I don't get how the content:!"something" rule is supposed to work when used with replace in snort_inline. What I want to do is replace the contents of any ping packet which does not match the default linux ping. The default linux ping has the timestamps in it's payload and then a fixed string (hex) 08 09 0a 0b ...35. I only have defualt ping packets to work with right now, but the ideas are simply illustrated: This works: pass icmp any any <> any any (content:"|08 09 0a...|"; replace:"000...";) and replaces the fixed string...so shouldn't I be able to do something like: pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";) and then it will see that the content is NOT ff ff ff (it's 08 09 0a) and replace it the same way it did with the first rule? Of course this didn't work so I would appreciate it if someone could tell me where I'm going wrong. Is it even possible to check if content is NOT some known good pattern and then replace anything except that? I wanted to do a demo which showed that snort_inline could handle stupid covert channels by doing packet rewriting, but it doesn't even seem capable of this small feature...anyone know how to overwrite anything EXCEPT known good content? Much Thanks! John
Current thread:
- Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Sushant Sinha (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)