Honeypots mailing list archives

Re: Anyone know how to use the content:! rule and replace in snort_inline?

From: "John Smith" <genericjohnsmith () gmail com>
Date: Mon, 24 Apr 2006 22:57:29 +0000

On 4/24/06, Frank Knobbe <frank () knobbe us> wrote:

On Mon, 2006-04-24 at 22:23 +0000, John Smith wrote:

and replaces the fixed string...so shouldn't I be able to do something like:
pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";)

and then it will see that the content is NOT ff ff ff (it's 08 09 0a)
and replace it the same way it did with the first rule? Of course this
didn't work so I would appreciate it if someone could tell me where
I'm going wrong.


You used a "pure not rule". You can not use a rule that only has a
content:!"blah" in it. You can use negated content matches only after a
positive content match (ie content:"blah"; content:!"blahoney";)


Thank you, the logic of how ! was used was not clear to me, and it
seems therefore like I can't do what I need to do :(

Is it even possible to check if content is NOT some known good pattern
and then replace anything except that?


heh... what is a NOT known good pattern? Could you write one? :)


if the logic was working the way I thought it was, then sure (but yes
I can't write a *pattern* for not-known-good :P)

  Snort

can only match on content, not on NOT-content along, much like the
absence of content.


Right, I guess absense of specific content is what I was looking for
given that snort inline doesn't seem able to simply overwrite a
specific portion of the payload irrespective of it's content. So yeah
basically your reply seems to indicate that that isn't going to
happen... I knew it wasn't really the right tool for the job, but I
couldn't find anything else which claimed to be able to rewrite
packets easily.

Thanks

John

 The not-content rule can only be used in conjunction

with a content rule.

Regards,
Frank


--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (FreeBSD)

iD8DBQBETVPpGr6G9pK6fXURApXLAJ94Uq0bCiMCSQQPXcAaaIS3s9dXlwCdFgXz
vKkuHts+tqSvx0M+Pzu53+o=
=p0Kl
-----END PGP SIGNATURE-----

Current thread:

Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)
  - Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Sushant Sinha (Apr 24)
  - Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)