/usr/share/ettercap/etter.filter.examples is in ettercap-common 1:0.8.2-2build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 | ############################################################################
# #
# ettercap -- etter.filter.examples -- filter source file #
# #
# Copyright (C) ALoR & NaGA #
# #
# This program is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
############################################################################
# make sure this filter will not be used...
exit();
# display a message if the tcp port is 22
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
msg("SSH packet\n");
}
}
# log all telnet traffic, also execute ./program on every packet
if (ip.proto == TCP) {
if (tcp.src == 23 || tcp.dst == 23) {
log(DATA.data, "./logfile.log");
exec("./program");
}
}
# log all traffic except http
if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
log(DATA.data, "./logfile.log");
}
# some operation on the payload of the packet
if ( DATA.data + 20 == 0x4142 ) {
DATA.data + 20 = 0x4243;
} else {
DATA.data = "modified";
DATA.data + 20 = 0x4445;
}
# drop any packet containing "ettercap"
if (search(DECODED.data, "ettercap")) {
msg("some one is talking about us...\n");
drop();
kill();
}
# log ssh decrypted packets matching the regexp
if (ip.proto == TCP) {
if (tcp.src == 22 || tcp.dst == 22) {
if (regex(DECODED.data, ".*login.*")) {
log(DECODED.data, "./decrypted_log");
}
}
}
# dying packets
if (ip.ttl < 5) {
msg("The packet will die soon\n");
}
# the same for IPv6 but make sure we really see IPv6 packets doing such trivial tests
if (eth.proto == IP6 && ipv6.hl < 5) {
msg("The IPv6 packet will die soon\n");
}
# string comparison at a given offset
if (DATA.data + 40 == "ette") {
log(DATA.data, "./logfile");
}
# inject a file after a specific packet
if (tcp.src == 21 && search(DATA.data, "root")) {
inject("./fake_response");
}
# replace the entire packet with another
if (tcp.src == 23 && search(DATA.data, "microsoft")) {
drop();
inject("./fake_telnet");
}
# Modifying binary data by using external commands
if (udp.dst == 53 && pcre_regex(DATA.data, ".*\x03com\x00.*")) {
log(DATA.data, "/tmp/payload");
drop();
execinject("/bin/sed 's/\x03com\x00/\x02my\x04page\x02de\x00/g' /tmp/payload");
udp.len += 7;
exec("/bin/rm /tmp/payload");
msg("faked");
}
# filter only a specific ip address
if (ip.src == '192.168.0.2') {
drop();
}
# do the same for IPv6
if (ipv6.src == '2001:db8::1') {
drop();
}
# combined both IPv4 and IPv6
if (eth.proto == IP && ip.dst == '192.168.0.2') {
msg("drop IPv4");
drop();
}
if (eth.proto == IP6 && ipv6.dst == '2001:db8::1') {
msg("drop IPv6");
drop();
}
# translate the port of the tcp packet from 80 to 81
if (tcp.dst == 80) {
tcp.dst -= 1;
tcp.dst += 2;
}
# identify and mangle ESP packets
if (ip.proto == ESP) {
DATA.data = "DEADDECAF";
}
# eof
# vim:ts=3:expandtab
|