codeblog code is freedom — patching my itch

August 5, 2005

defcon 13 patch round-up

Filed under: Networking — kees @ 7:38 pm

In (useless) preparation for DefCon 13’s CTF this year, I hacked at ettercap and Snort. Since the TTL filtering trick was out of the bag, I figured I’d implement the other idea I had. Since the score bot generally is a short-lived connection to a service in CTF, it would be great if Snort-inline rules could be written to detect how long a conenction had been around for. Initially I hacked at ettercap, but that was mostly so I could build a quick-and-dirty TTL statistics gatherer. In ettercap, I had to add session time tracking, but in Snort, it was actually already there. There just wasn’t anything that could be matched against in the rules section. I lifted the TTL matcher from Snort and just used the existing connection timers to do the work and created the “age” rule. Works like a charm. I hope they take my patches.

© 2005, Kees Cook. This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 License.
CC BY-SA 4.0

No Comments

No comments yet.

Powered by WordPress