MATCHSTREAM

The MATCHSTREAM command inspects network traffic for activity on the specified ports which matches a regular expression. The payload will be paused until matching traffic is found.

Regular expressions can be difficult, but powerful. They allow searching for complex patterns in a stream. Sites such as https://regex101.com/ can help explore the power of regular expressions.

MATCHSTREAM uses the ECMASCRIPT regular expression flavor.

Options

The MATCHSTREAM command expects several options:

MATCHSTREAM [interface] [direction] [expression] [port] ... [portN]

Interface

MATCHSTREAM requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.

Direction

MATCHSTREAM requires a direction: It can match on CLIENT requests, SERVER responses, or packets in ANY direction.

Expression

MATCHSTREAM matches on a basic regular expression.

This expression can be as simple as the text to match, such as "Authorization: Basic", or a complex match such as "[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}"to match four groups of four digits.

Ports

MATCHSTREAM can match any number of ports.

Return values

MATCHSTREAM will exit when a packet is seen on the monitored ports.

MATCHSTREAM will print the port pairs which caused the match (source and destination of the packet).

Experimenting

You can experiment using the MATCHSTREAM command live, either in the Web Shell in the web UI, or via ssh!

Demonstration of the MATCHSTREAM command

To experiment with traffic from a Target device (such as your computer plugged into the Target port in Arming mode), you'll need to use eth1 as the interface:

Demonstration matching on the Target port

Examples

The most basic use of the MATCHSTREAM command is to halt execution of a payload until traffic is seen. This demonstration payload will disconnect the Target device if it is seen to connect to a web server

#!/bin/bash 

# Title: Matchstream example
#
# Description: Disconnect the Target device if there is a login attempt on an unencrypted port

# Set bridge mode
NETMODE BRIDGE

# Wait for any basic-auth on port 80
MATCHSTREAM br-lan ANY 'Authorization: Basic' 80

# Jail the target
NETMODE JAIL

# Set the LED
LED R VERYFAST

Last updated