Forum Discussion
Tim_W_72292
Nimbostratus
NimbostratusChanging an ip address in an RMI connection
Hi,
I am trying to change an ip address within an RMI connection, and I am not really too sure where to start. The data is as follows:
JRMI..KN..10.10.10.141.....
15.15.15.24...YP....w".................K........;.;>O.@.t..
The 15.15.15.24 address needs to be changed to 10.10.10.141.
Any ideas? The connection will always start the same way and is always from and to the same ip's (source and destination) but from different ports.
Thanks in advance.
Tim_W_72292Hi,
As rmi runs on tcp i have had the following idea, though I am not sure about the TCP::payload delivery, does this look right? just changed it a little
rule test_1 {
when CLIENT_ACCEPTED {
if { ( [IP::client_addr] = "10.10.10.152") } {
TCP::collect 30
}
when CLIENT_DATA {
Do a regsub search and replace
set bad-ip "15.15.15.24"
set replace-ip "10.10.10.141"
if { [regsub -all $bad-ip [TCP::payload] $replace-ip new-ip ] > 0} {
TCP::payload replace -1 31 $new-ip
TCP::release
}
}
Cheers
Tim
hoolioCirrostratus
Is the replacement in the TCP payload? If it is TCP and in the payload, you could also use a stream profile with STREAM::expression and STREAM::enable in CLIENT_ACCEPTED to perform the replacement in the payload. Check the STREAM::expression wiki page for an example (Click here). Collecting the payload and using regsub should work, but require more resources.
Aaron- Tim_W_72292Aaron,
We only have version 9.1.3, so STREAM is not available at the moment, We are limited by the version due to R&D specs and testing ;-( But the ip is in the payload.
Cheers
Tim - hoolioTim,
So it looks like you're stuck with collecting the payload. Make sure to replace the full stops with backslashes in the original and replacement IP addresses--else they'll be interpreted as a wildcard repeat of the previous character (set bad-ip {15\.15\.15\.24}). Also, I think you'd want to specify 0 for the offset instead of -1 to start the replacement at the start of the payload.
Aaron - Tim_W_72292Aaron,
So you reckon like this then
rule test_1 {
when CLIENT_ACCEPTED {
if { ( [IP::client_addr] = "10.10.10.152") } {
TCP::collect 30
}
when CLIENT_DATA {
Do a regsub search and replace
set bad-ip {15\15\15\24}
set replace-ip {10\10\10\141}
if { [regsub -all $bad-ip [TCP::payload] $replace-ip new-ip ] > 0} {
TCP::payload replace 0 31 $new-ip
TCP::release
}
}
Cheers
Tim - hoolioCan you try this?
when CLIENT_ACCEPTED { if {[IP::addr [IP::client_addr] equals 10.10.10.152]} { TCP::collect 30 } } when CLIENT_DATA { Do a regsub search and replace set bad_ip {15\.15\.15\.24} set replace_ip {10\.10\.10\.141} if { [regsub -all $bad_ip [TCP::payload] $replace_ip new_payload ] > 0} { TCP::payload replace 0 [TCP::payload length] $new_payload TCP::release } }
Aaron