Module: IPSFilter::SocketTracer
- Defined in:
- plugins/ips_filter.rb
Constant Summary collapse
- SIGS =
Extend this as needed :-)
[ ['DCOM.C', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"], ['BLASTER', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"], ['REMACT', ".*\xb8\x4a\x9f\x4d\x1c\\}\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"], ['x86 NOP SLED', "\x90\x90"], ]
Instance Attribute Summary collapse
-
#context ⇒ Object
Returns the value of attribute context.
Instance Method Summary collapse
- #close(*args) ⇒ Object
- #ips_match(data) ⇒ Object
-
#read(length = nil, opts = {}) ⇒ Object
Hook the read method.
-
#write(buf, opts = {}) ⇒ Object
Hook the write method.
Instance Attribute Details
#context ⇒ Object
Returns the value of attribute context.
66 67 68 |
# File 'plugins/ips_filter.rb', line 66 def context @context end |
Instance Method Details
#close(*args) ⇒ Object
86 87 88 |
# File 'plugins/ips_filter.rb', line 86 def close(*args) super(*args) end |
#ips_match(data) ⇒ Object
90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# File 'plugins/ips_filter.rb', line 90 def ips_match(data) lp = localport rp = peerport SIGS.each do |s| begin r = Regexp.new(s[1]) if (data.match(r)) print_error "Matched IPS signature #{s[0]}" return true end rescue ::Exception => e print_error "Compiled error: #{s[1]}" end end return false end |
#read(length = nil, opts = {}) ⇒ Object
Hook the read method
78 79 80 81 82 83 84 |
# File 'plugins/ips_filter.rb', line 78 def read(length = nil, opts = {}) r = super(length, opts) if (ips_match(r)) print_error "Incoming read may match a known signature" end return r end |
#write(buf, opts = {}) ⇒ Object
Hook the write method
69 70 71 72 73 74 75 |
# File 'plugins/ips_filter.rb', line 69 def write(buf, opts = {}) if (ips_match(buf)) print_error "Outbound write blocked due to possible signature match" return 0 end super(buf, opts) end |