Re: [Snort-inline-users] replace payload option

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Victor would be better able to answer that question... he did most of
the heavy lifting inside of stream4inline.  Last time I looked at the
code though I don't remember being a way to differentiate between a
regular packet and a reassembled packet after it left stream4 but I
could be wrong.

Regards,

Will

On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> Will,
>
> Thanks for the reply.
>
> The code doesn't seem to differentiate based on whether the analyzed packet is
> a pseudo packet or not.
>
> detection-plugins/sp_pattern_match.c
>
> CheckANDPatternMatch(...)
> <snip>
>    if (InlineMode() && found && idx->replace_buf)
>    {
>        //fix the packet buffer to have the new string
>        detect_depth = (char *)doe_ptr - idx->pattern_size - dp;
>
>        ret = PayloadReplace(p, otn_idx, fp_list, detect_depth);
>        if (ret == 0)
>            return 0;
>    }
> <snip>
>
> Even inside PayloadReplace the differentiation was not present.
>
> Is that not handled now?
>
> Thanks
>
>
>
> On Thu, Aug 7, 2008 at 5:03 PM, Will Metcalf <wil...@gm...> wrote:
> > Yeah It can only work on a packet-by-packet basis.
> >
> > Regards,
> >
> > Will
> >
> > On 8/7/08, Adayadil Thomas <ada...@gm...> wrote:
> >> Greetings.
> >>
> >> I have a question/concern regarding the "replace:" rule option -
> >>
> >> Example rule from the manual --
> >>
> >> alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
> >>
> >> Although not specified in the manual it seems the functionality is
> >> meant to be used on a packet by packet basis and not on a stream (TCP
> >> stream).
> >> For example:
> >> For the above rule consider that the "GET" is spread across 3 segments
> >> each one byte long and all of them arrive in order.
> >> The first 2 bytes ('G' and 'E') will be forwarded to the destination
> >> before the rule is triggered; and at that point replacing "GET"
> >> with "BET" is not possible without the IPS retransmitting the previous
> >> 2 bytes and hope that the destination OS favors newer data.
> >>
> >> Thoughts?
> >>
> >> -------------------------------------------------------------------------
> >> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> >> Build the coolest Linux based applications with Moblin SDK & win great prizes
> >> Grand prize is a trip for two to an Open Source event anywhere in the world
> >> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> >> _______________________________________________
> >> Snort-inline-users mailing list
> >> Sno...@li...
> >> https://lists.sourceforge.net/lists/listinfo/snort-inline-users
> >>
> >
>