Snort mailing list archives
Triggering a complex snort rule (packet forging)
From: Asiri Rathnayake <asiri.rathnayake () gmail com>
Date: Tue, 2 Apr 2013 12:07:16 +0100
Dear All, This may be a bit naive question but I couldn't find a definitive answer on the web. Let's say we have a rule of the following form: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"..."; flow:to_client,established; content:"..."; nocase; http_header; metadata:service http; classtype:attempted-user; ...) This rule will only be triggered on the return traffic from some server (?). If I understand correctly, this means the client (a computer on the HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is looking into the response from the server. My question is, how can such a rule be tested? (I need to trigger the rule repeatedly) I was wondering if it's possible to forge packets with Scapy [1] and throw them at HOME_NET in such a way that would make Snort believe that those packets correspond to the signature in the rule above. Would Snort fall into such forged traffic? I found [3] while reading [2], but it seems rule2alert is in an early stage of development (it says it can only handle simple rules). If someone can kindly confirm if the strategy I have highlighted above is viable, then I will be able to dig deeper into forging packets with Scapy. I thought it would be wise to ask here first just in case if I'm headed the wrong way (I'm a bit new to IDP/IDS domain). Thanks a lot for your time. - Asiri [1] http://www.secdev.org/projects/scapy/ [2] http://seclists.org/snort/2011/q1/648 [3] https://code.google.com/p/rule2alert/
------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- <Possible follow-ups>
- Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) waldo kitty (Apr 02)
- Message not available
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)