Re: [Snort-inline-users] replace payload option

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Will,

Thanks for the reply.

The code doesn't seem to differentiate based on whether the analyzed packet is
a pseudo packet or not.

detection-plugins/sp_pattern_match.c

CheckANDPatternMatch(...)
<snip>
    if (InlineMode() && found && idx->replace_buf)
    {
        //fix the packet buffer to have the new string
        detect_depth = (char *)doe_ptr - idx->pattern_size - dp;

        ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
        if (ret == 0)
            return 0;
    }
<snip>

Even inside PayloadReplace the differentiation was not present.

Is that not handled now?

Thanks

On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...> wrote:
> Yeah It can only work on a packet-by-packet basis.
>
> Regards,
>
> Will
>
> On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
>> Greetings.
>>
>> I have a question/concern regarding the "replace:" rule option -
>>
>> Example rule from the manual --
>>
>> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
>>
>> Although not specified in the manual it seems the functionality is
>> meant to be used on a packet by packet basis and not on a stream (TCP
>> stream).
>> For example:
>> For the above rule consider that the "GET" is spread across 3 segments
>> each one byte long and all of them arrive in order.
>> The first 2 bytes ('G' and 'E') will be forwarded to the destination
>> before the rule is triggered; and at that point replacing "GET"
>> with "BET" is not possible without the IPS retransmitting the previous
>> 2 bytes and hope that the destination OS favors newer data.
>>
>> Thoughts?
>>
>> -------------------------------------------------------------------------
>> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
>> Build the coolest Linux based applications with Moblin SDK & win great prizes
>> Grand prize is a trip for two to an Open Source event anywhere in the world
>> http://moblin-contest.org/redirect.php?banner_id=100&url=/
>> _______________________________________________
>> Snort-inline-users mailing list
>> Sno...@li...
>> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
>>
>