Module: IPSFilter::SocketTracer

Defined in:

plugins/ips_filter.rb

Constant Summary

SIGS =

Extend this as needed :-)

[
  ['DCOM.C', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
  ['BLASTER', ".*\\\x5c\x00\\\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
  ['REMACT', ".*\xb8\x4a\x9f\x4d\x1c\\}\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
  ['x86 NOP SLED', "\x90\x90"],
].freeze

Instance Attribute Summary

• #context ⇒ Object

  Returns the value of attribute context.

Instance Method Summary

• #ips_match(data) ⇒ Object
• #read(length = nil, opts = {}) ⇒ Object

  Hook the read method.

• #write(buf, opts = {}) ⇒ Object

  Hook the write method.

Instance Attribute Details

#context ⇒ Object

Returns the value of attribute context.

# File 'plugins/ips_filter.rb', line 55

def context
  @context
end

Instance Method Details

#ips_match(data) ⇒ Object

# File 'plugins/ips_filter.rb', line 75

def ips_match(data)
  # lp = localport
  # rp = peerport

  SIGS.each do |s|
    r = Regexp.new(s[1])
    if data.match(r)
      print_error "Matched IPS signature #{s[0]}"
      return true
    end
  rescue ::Exception
    print_error "Compiled error: #{s[1]}"
  end

  return false
end

#read(length = nil, opts = {}) ⇒ Object

Hook the read method

# File 'plugins/ips_filter.rb', line 67

def read(length = nil, opts = {})
  r = super(length, opts)
  if ips_match(r)
    print_error 'Incoming read may match a known signature'
  end
  return r
end

#write(buf, opts = {}) ⇒ Object

Hook the write method

# File 'plugins/ips_filter.rb', line 58

def write(buf, opts = {})
  if ips_match(buf)
    print_error 'Outbound write blocked due to possible signature match'
    return 0
  end
  super(buf, opts)
end