==== Rewrite
-IPS action rewrite enables overwrite packet contents based on "replace"
-option in the rules.
+IPS action "rewrite" enables overwrite packet contents based on "replace"
+option in the rules. Note that using "rewrite" action without "replace"
+option will raise corresponding rule alert, but will not overwrite the
+packet payload.
For example:
rules = local_rules,
}
-this rule replaces "index.php" with "indax.php", and rewrite action
-updates that packet.
+this rule replaces the first occurrence of "index.php" with "indax.php",
+and "rewrite" action updates that packet.
+
+Content and replacement are aligned to the right side of the matching
+content and are limited not by the size of the matching content, but
+by the boundaries of the packet.
+
+ Example:
+
+ rewrite http any any -> any any
+ (
+ msg:"Small replace";
+ content:"content";
+ replace:"text";
+ sid:1000002;
+ )
+
+ this rule replaces "malicious content" to "malicious context".
+
+ Example:
+
+ rewrite http any any -> any any
+ (
+ msg:"Big replace";
+ content:"content";
+ replace:"y favorite page!";
+ sid:1000002;
+ )
+
+ this rule replaces "malicious content" to "my favorite page!".
+
+Be aware that after the match there should be enough room left for the
+"replace" content in the matched packet. If there is not enough space
+for the "replace" content the rule will not match.
+
+"replace" works for raw packets only. So, TCP data must either fit
+under the "pkt_data" buffer requirements or one should enable detection
+on TCP payload before reassembly: search_engine.detect_raw_tcp=true.
+For example:
+
+ Rule that does not require search_engine.detect_raw_tcp=true:
+
+ rewrite udp any any -> any any
+ (
+ msg:"TEST 1";
+ sid:1000002;
+ content:"attack";
+ replace:"abc123";
+ )
+
+ Rule that does require search_engine.detect_raw_tcp=true:
+
+ rewrite http any any -> any any
+ (
+ msg:"TEST 2";
+ content:"/content.html";
+ replace:"/replace.html";
+ sid:1000002;
+ )
\ No newline at end of file
react is used.
Rewrite enables overwrite packet contents based on "replace" option in the
-rules.
+rules. Note that using "rewrite" action without "replace" option will raise
+the appropriate rule alert but will not overwrite the packet payload.
+Rewrite/replace works for raw packets only.
Ips actions are all pluggable and implemented as subclasses of IpsAction action.
Each ips action instance has an instance of the active action that is used to
The "sd_pattern" will be used as a fast pattern in the future (like "regex")
for performance.
+
+"replace" option has the following restrictions:
+- Content and replacement are aligned to the right side of the matching
+content and are limited not by the size of the matching content, but
+by the boundaries of the packet.
+- Be aware that after the match there should be enough room left for the
+"replace" content in the matched packet. If there is not enough space
+for the "replace" content the rule will not match.
+- Only the first occurrence of the content will be replaced.
+- "replace" works for raw packets only. So, TCP data must either fit
+under the "pkt_data" buffer requirements or one should enable detection
+on TCP payload before reassembly: search_engine.detect_raw_tcp=true.
\ No newline at end of file
projects / thirdparty / snort3.git / commitdiff
