Snort mailing list archives

Re: Generating packets from Snort 3 rules

From: Joel Esler via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 2 Aug 2022 09:47:15 -0400

Again, I don’t speak for Talos anymore, but I could confidently say the answer is “no”.

On Aug 1, 2022, at 3:49 PM, Stephen Reese <rsreese () gmail com> wrote:

Might the pcaps be shareable under a data sharing agreement with myself or the university I am at?

On Tue, Jul 26, 2022 at 8:59 AM Joel Esler <joel.esler () me com <mailto:joel.esler () me com>> wrote:

Talos pcaps are not shareable. I don’t work there anymore, but I feel confident that they would agree with me. 

— 
Sent from my  iPhone

On Jul 26, 2022, at 07:08, Stephen Reese <rsreese () gmail com <mailto:rsreese () gmail com>> wrote:


Joel,

Which tools are used? More importantly, I would be interested to know if the pcap’s are available for research 
purposes? This would be to load the pcap’s into Scapy to modify packet’s payloads based on the research criteria. 

Thanks,
Stephen

On Mon, Jul 18, 2022 at 9:38 AM Joel Esler <joel.esler () me com <mailto:joel.esler () me com>> wrote:

Is there a tool used at Talos to generate packets? Yes.  Various open source tools are used to wrap things like 
text and single packets into full session packets, but overwhelming like (like 99x out of 100) the packets that 
are being used to write and test the rules are actual  attack packets against an actual host.  Sometimes this 
means detonating malware in order to generate the traffic, sometimes this means writing an exploit to generate the 
traffic, but a pcap exists for every single rule written.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 15)
- Re: Generating packets from Snort 3 rules Alex Tatistcheff via Snort-sigs (Jul 16)
- Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 18)
  - Re: Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 27)
    - Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 26)
    - Message not available
    - Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Aug 02)