* reading positions with the u32 module
@ 2014-04-24 16:24 William Taylor
0 siblings, 0 replies; only message in thread
From: William Taylor @ 2014-04-24 16:24 UTC (permalink / raw)
To: netfilter
I'm trying to find out if it's possible to read a value from a packet
and skip forward by that amount and start processing the packet from
that offset.
I tried something like this where 28&0xFF was the position where I
wanted to read my value from but couldn't seem to get it to work.
0>>22&0x3C@28&0xFF000000>>@0&0xDFDFDFDF=0x464F4F4F
For a little more context I'm trying to do this so I can block dns
requests that have random hostnames prepended to the domain. The idea being
I can generate a rule that matches the domain and it will work with
whatever hostname is attached to it.
Read 0x03 jump 3 bytes forward then start matching on 0x04666F6F6F0x03636F6D
www.fooo.com : 0x037777770x04666F6F6F0x03636F6D00
Is this possible? Any help would be appreciated.
Thanks,
William
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-04-24 16:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-04-24 16:24 reading positions with the u32 module William Taylor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).