Is there any kind of software app out there you can point me toward that would be meant for such a process? I appreciate the feedback.
----- Original Message ----- From: "Darren Bounds" <[EMAIL PROTECTED]> To: "'Quasar'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Sunday, June 15, 2003 5:56 PM Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets > While snort-inline does modify the packet in transit, I'm not sure it's > what you're looking for in this case. It was merely meant as an example > of the technology you were inquiring about. > > As far as modifying the packet in transit, unless there are > inconsistencies introduced to the packet stream once they're modified, > as far as the transport layer is concerned, the source and destination > hosts should be unaware of your tampering. For a TCP session, invalid > sequence or acknowledge numbering, source and destination ports or flags > are a few obvious examples of such inconsistencies. > > > Darren Bounds > Security Consultant > Information Security Services > Intrusense Inc. > > > > > > > -----Original Message----- > From: Quasar [mailto:[EMAIL PROTECTED] > Sent: Sunday, June 15, 2003 7:41 PM > To: Darren Bounds; [EMAIL PROTECTED] > Subject: Re: [tcpdump-workers] Question about grabbing/modifying packets > > Is it possible to modify the packets using that snort-inline patch? Or > how > would I go about that? Also if you modify the packet and re-insert it > into > the stream is that transparent to the application or is there built in > CRC's > and things on udp packets that would change? > Thanks > > ----- Original Message ----- > From: "Darren Bounds" <[EMAIL PROTECTED]> > To: "'Quasar'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> > Sent: Sunday, June 15, 2003 5:23 PM > Subject: RE: [tcpdump-workers] Question about grabbing/modifying packets > > > I believe the proper term for what you're speaking about is "packet > scrubbing". > > Among many others, the Snort-Inline patch for Snort IDS does this but > uses libipq rather than libpcap. > > Available at: http://snort-inline.sf.net > > > > > > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Quasar > Sent: Sunday, June 15, 2003 2:52 PM > To: [EMAIL PROTECTED] > Subject: [tcpdump-workers] Question about grabbing/modifying packets > > Goal: > To be able to watch for certain packets, edit them, place them back in > the stream so the application is unaware that anything has been changed, > ie the sender or anything like that. > > Possible implementations that I can think of: > place linux machine inbetween me and the internet and write some kind of > program to watch for those packets, change them if need be, and have it > forward the packets to this machine > > write a low level NDIS or TDI driver in windows > (dont have any experience doing either of those other than ONLY > forwarding packets with a linux machine between me and the internet > using iptables) > > Is there any links anyone can provide on how this could be accomplished, > or am I heading in the right direction? Also I am wondering how I can > stop the stream, maybe stick it in a buffer or something while i work on > that packet then re-insert it and re-enable the stream? Anyway I'm new > to this and figured the veterans might be able to help. > Thanks in advance- > > > > > > - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
