Re: Anyone know how to use the content:! rule and replace in snort_inline?

[Sushant Sinha <sushant () umich edu>]

The last time I was working on Snort code I found that it does not handle
rules that have content match all negations. This is  because  it is 
very costly
to perform multi-pattern search with all negations. I would suggest 
that add atleast one
content match (not the negation) to the rule.

-Sushant.

John Smith wrote:

> OK, so maybe I don't get how the content:!"something" rule is supposed
> to work when used with replace in snort_inline. What I want to do is
> replace the contents of any ping packet which does not match the
> default linux ping. The default linux ping has the timestamps in it's
> payload and then a fixed string (hex) 08 09 0a 0b ...35. I only have
> defualt ping packets to work with right now, but the ideas are simply
> illustrated:
> This works:
> pass icmp any any <> any any (content:"|08 09 0a...|"; replace:"000...";)
>
> and replaces the fixed string...so shouldn't I be able to do something like:
> pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";)
>
> and then it will see that the content is NOT ff ff ff (it's 08 09 0a)
> and replace it the same way it did with the first rule? Of course this
> didn't work so I would appreciate it if someone could tell me where
> I'm going wrong.
>
> Is it even possible to check if content is NOT some known good pattern
> and then replace anything except that?
>
> I wanted to do a demo which showed that snort_inline could handle
> stupid covert channels by doing packet rewriting, but it doesn't even
> seem capable of this small feature...anyone know how to overwrite
> anything EXCEPT known good content?
>
> Much Thanks!
>
> John
>
>
>