Possible to filter by Seq, Ack, Win and Len?



  • Hi All

    Sorry that this is the wrong location, I have not idea where to put this..

    Is there a way with pfSense or a package that I can find a particular [PSH, ACK] with a unique Seq, Ack, Win and Len value
    and then ask PFSense to issue a command when it finds it, such a small script?

    Thanks in advance.


  • Netgate Administrator

    Nothing built in can do that I'm aware of. It would probably be possible via a script of some sort. Running a pcap and parsing it's output perhaps.
    What are you trying to do? There might be some easier way to do it.

    Steve



  • Hi Steve,

    Thanks for the reply.

    So I have a system at home that is supposed to notify me when it gets activated via push notifications. they are having issues all the times with their servers so me and other users never get the notifications.

    I captured my device when the notification get sent to their servers and all I want to do is get my router to pick that signature up and then for me to run my own script so I can send notifications to my phone

    This is the line i wish to search for and create a rule for:

    0_1547057181538_Screenshot_1.png

    If you know of any other way I could get this to work, I would be very grateful

    Regards


  • Netgate Administrator

    Mmm, probably going to need a script to do it. You might be able to define a custom Snort rule to detect that which would be nice. But it will only throw an alert when it sees it. No way I'm aware if to send a notification based on that alert. Maybe if you were exporting the Snort logs you could have something else setup to do parse them and do that.
    Neither of those things are anything I've ever tried.

    Steve