Module: IPSFilter::SocketTracer

Defined in:

plugins/ips_filter.rb

Constant Summary

SIGS =

Extend this as needed :-)

[
  ['DCOM.C', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
  ['BLASTER', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
  ['REMACT', ".*\xb8\x4a\x9f\x4d\x1c\\}\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
  ['x86 NOP SLED', "\x90\x90"],
]

Instance Attribute Summary

• #context ⇒ Object

  Returns the value of attribute context.

Instance Method Summary

• #close(*args) ⇒ Object
• #ips_match(data) ⇒ Object
• #read(length = nil, opts = {}) ⇒ Object

  Hook the read method.

• #write(buf, opts = {}) ⇒ Object

  Hook the write method.

Instance Attribute Details

#context ⇒ Object

Returns the value of attribute context.

# File 'plugins/ips_filter.rb', line 66

def context
  @context
end

Instance Method Details

#close(*args) ⇒ Object

# File 'plugins/ips_filter.rb', line 86

def close(*args)
  super(*args)
end

#ips_match(data) ⇒ Object

# File 'plugins/ips_filter.rb', line 90

def ips_match(data)
  lp = localport
  rp = peerport

  SIGS.each do |s|
    begin
      r = Regexp.new(s[1])
      if (data.match(r))
        print_error "Matched IPS signature #{s[0]}"
        return true
      end
    rescue ::Exception => e
      print_error "Compiled error: #{s[1]}"
    end
  end

  return false
end

#read(length = nil, opts = {}) ⇒ Object

Hook the read method

# File 'plugins/ips_filter.rb', line 78

def read(length = nil, opts = {})
  r = super(length, opts)
  if (ips_match(r))
    print_error "Incoming read may match a known signature"
  end
  return r
end

#write(buf, opts = {}) ⇒ Object

Hook the write method

# File 'plugins/ips_filter.rb', line 69

def write(buf, opts = {})
  if (ips_match(buf))
    print_error "Outbound write blocked due to possible signature match"
    return 0
  end
  super(buf, opts)
end