Packet on the fly modification

    Jan 2010

    Packet on the fly modification

    I was reading the snort manual and it talked about the ability to replace matched content in packets before they are sent on the network.

    alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";)
    Additionally, Jed Haile’s content replace code allows you to modify packets before they leave the network. For

    alert tcp any any <> any 80 (msg: "tcp replace"; content:"GET"; replace:"BET"
    alert udp any any <> any 53 (msg: "udp replace"; content: "yahoo"; replace: "xxxxx"

    These rules will comb TCP port 80 traffic looking for GET, and UDP port 53 traffic looking for yahoo. Once they
    are found, they are replaced with BET and xxxxx, respectively. The replace pattern and content can be of different
    lengths. When the replace pattern is longer than the content, the replace pattern gets truncated and when the replace
    pattern is shorter than the content, first few bytes of the content (equivalent to the length of the replace pattern) are
    Windows equivalent of it would be I think WPE Pro with it's packet filters.

    I was wondering what (assuming it there is something out there I haven't heard of) that does this without a full blown install and config of snort. I seem to get a lot of bittorrent traffic on my tor relay node and was hoping to just find a way to either drop or malform the packets to stop torrents from running on my node.

    ---Answered my own Q: ettercap filters?

    Now to figure out how to get it to play nice with my running tor relay node.

    Anyone have insight on how to do this?
    Essentially it's like me running a proxy, but before the proxy sends stuff out to the world, I want to have be looked at by ettercap filter and then sent out.
