Honeypots mailing list archives
Re: Anyone know how to use the content:! rule and replace in snort_inline?
From: "John Smith" <genericjohnsmith () gmail com>
Date: Mon, 24 Apr 2006 22:57:29 +0000
On 4/24/06, Frank Knobbe <frank () knobbe us> wrote:
On Mon, 2006-04-24 at 22:23 +0000, John Smith wrote:and replaces the fixed string...so shouldn't I be able to do something like: pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";) and then it will see that the content is NOT ff ff ff (it's 08 09 0a) and replace it the same way it did with the first rule? Of course this didn't work so I would appreciate it if someone could tell me where I'm going wrong.You used a "pure not rule". You can not use a rule that only has a content:!"blah" in it. You can use negated content matches only after a positive content match (ie content:"blah"; content:!"blahoney";)
Thank you, the logic of how ! was used was not clear to me, and it seems therefore like I can't do what I need to do :(
Is it even possible to check if content is NOT some known good pattern and then replace anything except that?heh... what is a NOT known good pattern? Could you write one? :)
if the logic was working the way I thought it was, then sure (but yes I can't write a *pattern* for not-known-good :P) Snort
can only match on content, not on NOT-content along, much like the absence of content.
Right, I guess absense of specific content is what I was looking for given that snort inline doesn't seem able to simply overwrite a specific portion of the payload irrespective of it's content. So yeah basically your reply seems to indicate that that isn't going to happen... I knew it wasn't really the right tool for the job, but I couldn't find anything else which claimed to be able to rewrite packets easily. Thanks John The not-content rule can only be used in conjunction
with a content rule. Regards, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBETVPpGr6G9pK6fXURApXLAJ94Uq0bCiMCSQQPXcAaaIS3s9dXlwCdFgXz vKkuHts+tqSvx0M+Pzu53+o= =p0Kl -----END PGP SIGNATURE-----
Current thread:
- Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Sushant Sinha (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? John Smith (Apr 24)
- Re: Anyone know how to use the content:! rule and replace in snort_inline? Frank Knobbe (Apr 24)