Menu
▾
▴
Re: [Snort-inline-users] replace payload option
|
From: Will M. <wil...@gm...> - 2008-08-07 21:03:25
|
Yeah It can only work on a packet-by-packet basis.
Regards,
Will
On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> Greetings.
>
> I have a question/concern regarding the "replace:" rule option -
>
> Example rule from the manual --
>
> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
>
> Although not specified in the manual it seems the functionality is
> meant to be used on a packet by packet basis and not on a stream (TCP
> stream).
> For example:
> For the above rule consider that the "GET" is spread across 3 segments
> each one byte long and all of them arrive in order.
> The first 2 bytes ('G' and 'E') will be forwarded to the destination
> before the rule is triggered; and at that point replacing "GET"
> with "BET" is not possible without the IPS retransmitting the previous
> 2 bytes and hope that the destination OS favors newer data.
>
> Thoughts?
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-inline-users mailing list
> Sno...@li...
> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>
|
