In (useless) preparation for DefCon 13’s CTF this year, I hacked at ettercap and Snort. Since the TTL filtering trick was out of the bag, I figured I’d implement the other idea I had. Since the score bot generally is a short-lived connection to a service in CTF, it would be great if Snort-inline rules could be written to detect how long a conenction had been around for. Initially I hacked at ettercap, but that was mostly so I could build a quick-and-dirty TTL statistics gatherer. In ettercap, I had to add session time tracking, but in Snort, it was actually already there. There just wasn’t anything that could be matched against in the rules section. I lifted the TTL matcher from Snort and just used the existing connection timers to do the work and created the “age” rule. Works like a charm. I hope they take my patches.
© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.