MATCHSTREAM
The MATCHSTREAM command inspects network traffic for activity on the specified ports which matches a regular expression. The payload will be paused until matching traffic is found.
Regular expressions can be difficult, but powerful. They allow searching for complex patterns in a stream. Sites such as https://regex101.com/ can help explore the power of regular expressions.
MATCHSTREAM uses the ECMASCRIPT regular expression flavor.
Options
The MATCHSTREAM command expects several options:
MATCHSTREAM [interface] [direction] [expression] [port] ... [portN]
Interface
MATCHSTREAM requires a network interface. Typically on the Packet Squirrel this is br-lan, the virtual interface which connects the Ethernet ports.
Direction
MATCHSTREAM requires a direction: It can match on CLIENT requests, SERVER responses, or packets in ANY direction.
Expression
MATCHSTREAM matches on a basic regular expression.
This expression can be as simple as the text to match, such as "Authorization: Basic", or a complex match such as "[0-9]{4}-[0-9]{4}-[0-9]{4}-[0-9]{4}"to match four groups of four digits.
Ports
MATCHSTREAM can match any number of ports.
Return values
MATCHSTREAM will exit when a packet is seen on the monitored ports.
MATCHSTREAM will print the port pairs which caused the match (source and destination of the packet).
Experimenting
You can experiment using the MATCHSTREAM command live, either in the Web Shell in the web UI, or via ssh!
Demonstration of the MATCHSTREAM command
To experiment with traffic from a Target device (such as your computer plugged into the Target port in Arming mode), you’ll need to use eth1 as the interface:
Demonstration of stream matching based on target port
Examples
The most basic use of the MATCHSTREAM command is to halt execution of a payload until traffic is seen. This demonstration payload will disconnect the Target device if it is seen to connect to a web server
#!/bin/bash
NETMODE BRIDGE
MATCHSTREAM br-lan ANY 'Authorization: Basic' 80
NETMODE JAIL
LED R VERYFAST