ETTERFILTER(8) | System Manager's Manual | ETTERFILTER(8) |
etterfilter - Filter compiler for ettercap content filtering engine
etterfilter [OPTIONS] FILE
The etterfilter utility is used to compile source filter files into binary filter files that can be interpreted by the JIT interpreter in the ettercap(8) filter engine. You have to compile your filter scripts in order to use them in ettercap. All syntax/parse errors will be checked at compile time, so you will be sure to produce a correct binary filter for ettercap.
NOTE: you have to put a space between the 'if' and the '('. You must not put the space between the function name and the '('.
Example:
if (conditions) { }
func(args...);
The conditions for an 'if' statement can be either functions or comparisons. Two or more conditions can be linked together with logical operators like OR '||' and AND '&&'.
Example:
if (tcp.src == 21 && search(DATA.data, "ettercap")) {
}
Pay attention to the operator precedence. You cannot use parentheses to group conditions, so be careful with the order. An AND at the beginning of a conditions block will exclude all the other tests if it is evaluated as false. The parsing is left-to-right, when an operator is found: if it is an AND and the previous condition is false, all the statement is evaluated as false; if it is an OR the parsing goes on even if the condition is false.
Example:
if (ip.proto == UDP || ip.proto == TCP && tcp.src == 80) {
}
if (ip.proto == TCP && tcp.src == 80 || ip.proto ==
UDP) {
}
the former condition will match all udp or http traffic. The latter is wrong, because if the packet is not tcp, the whole condition block will be evaluated as false. If you want to make complex conditions, the best way is to split them into nested 'if' blocks.
Since etterfilter support both IP address families, you should care whether you use 'ip.proto' which is specific for the IPv4 address family or it's IPv6 couterpart 'ipv6.nh'. Especially for the L4 protocol matching using 'ip.proto' and/or 'ipv6.nh', you should be careful if you're really acting on the right protocol. This should be enforced using the L3 protocol identifier 'eth.proto'.
Example:
if (eth.proto == IP && ip.proto == TCP && tcp.dst == 80 ||
tcp.src == 80) {
}
if (eth.proto == IP6 && ipv6.nh == TCP &&
tcp.dst == 80 || tcp.src == 80) {
}
if (tcp.dst == 80 || tcp.src == 80) {
}
The first example correctly matches http traffic only on IPv4 while the second would match http traffic only on IPv6. The thrid example matches http regardless it's IP address familiy.
Every instruction in a block must end with a semicolon ';'.
Comparisons are implemented with the '==' operator and can be used to compare numbers, strings or ip addresses. An ip address MUST be enclosed within two single quotes (eg. '192.168.0.7' or '2001:db8::2'). You can also use the 'less than' ('<'), 'greater than' ('>'), 'less or equal' ('<=') and 'greater or equal' ('>=') operators. The lvalue of a comparison must be an offset (see later)
Example:
if (DATA.data + 20 == "ettercap" && ip.ttl > 16) {
}
Assignments are implemented with the '=' operator and the lvalue can be an offset (see later). The rvalue can be a string, an integer or a hexadecimal value.
Example:
ip.ttl = 0xff;
DATA.data + 7 = "ettercap NG";
You can also use the 'inc' and 'dec' operations on the packet fields. The operators used are '+=' and '-='. The rvalue can be an integer or a hexadecimal value.
Example:
ip.ttl += 5;
More examples can be found in the etter.filter.examples file.
Virtual pointers are in the form 'name.field.subfield'. For example 'ip.ttl' is the virtual pointer for the Time To Live field in the IP header of a packet. It will be translated as <L=3, O=9, S=1>. Indeed it is the 9th byte of level 3 and its size is 1 byte. 'ip.ttl + 1' is the same as 'ip.proto' since the 10th byte of the IP header is the protocol encapsulated in the IP packet. Note that since etterfilter also supports processing of IPv6, the above mentioned only applies for IPv4 packets while counterpart in IPv6 would be 'ipv6.nh'.
The list of all supported virtual pointers is in the file etterfilter.tbl. You can add your own virtual pointers by adding a new table or modifying the existing ones. Refer to the comments at the beginning of the file for the syntax of etterfilter.tbl file.
example:
search(DATA.data, "\x41\x42\x43")
NOTE: regex can be used only against a string buffer.
example:
regex(DECODED.data, ".*login.*")
example:
pcre_regex(DATA.data, ".*foo$")
pcre_regex(DATA.data, "([^ ]*) bar ([^ ]*)", "foo $1
$2")
example:
replace("ethercap", "ettercap")
example:
inject("./fake_packet")
example:
log(DECODED.data, "/tmp/interesting.log")
example:
msg("Packet filtered successfully")
example:
drop()
example:
kill()
example:
exec("/bin/cat /tmp/foo >> /tmp/bar")
example:
execinject("/bin/cat /tmp/foo")
example:
execreplace("tr A-Z a-z")
example:
exit()
Here are some examples of using etterfilter.
Compiles the source filter.ecf into a binary filter.ef
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
Emilio Escobar (exfil) <eescobar@gmail.com>
Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
Mike Ryan (justfalter) <falter@gmail.com>
Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
Antonio Collarino (sniper) <anto.collarino@gmail.com>
Ryan Linn <sussuro@happypacket.net>
Jacob Baines <baines.jacob@gmail.com>
Dhiru Kholia (kholia) <dhiru@openwall.com>
Alexander Koeppe (koeppea) <format_c@online.de>
Martin Bos (PureHate) <purehate@backtrack.com>
Enrique Sanchez
Gisle Vanem <giva@bgnett.no>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <daten@dnetc.org>
etter.filter.examples
ettercap(8) etterlog(8) etter.conf(5)
ettercap_curses(8) ettercap_plugins(8)
ettercap-pkexec(8)
ettercap 0.8.3.1 |