Re: Question about grabbing/modifying packets

["Quasar" <quasar () speakeasy net>]

Is there any kind of software app out there you can point me toward that
would be meant for such a process?  I appreciate the feedback.

----- Original Message ----- 
From: "Darren Bounds" <dbounds () intrusense com>
To: "'Quasar'" <quasar () speakeasy net>; <tcpdump-workers () tcpdump org>
Sent: Sunday, June 15, 2003 5:56 PM
Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets


> While snort-inline does modify the packet in transit, I'm not sure it's
> what you're looking for in this case. It was merely meant as an example
> of the technology you were inquiring about.
>
> As far as modifying the packet in transit, unless there are
> inconsistencies introduced to the packet stream once they're modified,
> as far as the transport layer is concerned, the source and destination
> hosts should be unaware of your tampering. For a TCP session, invalid
> sequence or acknowledge numbering, source and destination ports or flags
> are a few obvious examples of such inconsistencies.
>
>
> Darren Bounds
> Security Consultant
> Information Security Services
> Intrusense Inc.
>
>
>
>
>
>
> -----Original Message-----
> From: Quasar [mailto:quasar () speakeasy net]
> Sent: Sunday, June 15, 2003 7:41 PM
> To: Darren Bounds; tcpdump-workers () tcpdump org
> Subject: Re: [tcpdump-workers] Question about grabbing/modifying packets
>
> Is it possible to modify the packets using that snort-inline patch?  Or
> how
> would I go about that?  Also if you modify the packet and re-insert it
> into
> the stream is that transparent to the application or is there built in
> CRC's
> and things on udp packets that would change?
> Thanks
>
> ----- Original Message ----- 
> From: "Darren Bounds" <dbounds () intrusense com>
> To: "'Quasar'" <quasar () speakeasy net>; <tcpdump-workers () tcpdump org>
> Sent: Sunday, June 15, 2003 5:23 PM
> Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets
>
>
> I believe the proper term for what you're speaking about is "packet
> scrubbing".
>
> Among many others, the Snort-Inline patch for Snort IDS does this but
> uses libipq rather than libpcap.
>
> Available at: http://snort-inline.sf.net
>
>
>
>
>
>
>
>
>
> -----Original Message-----
> From: owner-tcpdump-workers () sandelman ottawa on ca
> [mailto:owner-tcpdump-workers () sandelman ottawa on ca] On Behalf Of
> Quasar
> Sent: Sunday, June 15, 2003 2:52 PM
> To: tcpdump-workers () tcpdump org
> Subject: [tcpdump-workers] Question about grabbing/modifying packets
>
> Goal:
> To be able to watch for certain packets, edit them, place them back in
> the stream so the application is unaware that anything has been changed,
> ie the sender or anything like that.
>
> Possible implementations that I can think of:
> place linux machine inbetween me and the internet and write some kind of
> program to watch for those packets, change them if need be, and have it
> forward the packets to this machine
>
> write a low level NDIS or TDI driver in windows
> (dont have any experience doing either of those other than ONLY
> forwarding packets with a linux machine between me and the internet
> using iptables)
>
> Is there any links anyone can provide on how this could be accomplished,
> or am I heading in the right direction? Also I am wondering how I can
> stop the stream, maybe stick it in a buffer or something while i work on
> that packet then re-insert it and re-enable the stream? Anyway I'm new
> to this and figured the veterans might be able to help.
> Thanks in advance-

-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe