Snort mailing list archives
Re: pcaps for triggering rules
From: Sunny James Fugate <sunny.fugate () gmail com>
Date: Fri, 24 Aug 2012 08:32:09 -0600
There is also the sneeze.pl script. --> http://www.securiteam.com/tools/5DP0T0AB5G.html I haven't tried this script in years, but might still work to a limited extent. If nothing else, it presents a method which could be duplicated/updated. It looks like its missing a bunch of recent content modification options (seems to only implement "offset"). Cheers, Sunny On Aug 24, 2012, at 12:53 AM, Tony Robinson wrote:
There's a number of ways you can go about doing this, Pratik. 1) there are some places on the net that have packet captures of known malicious content (e.g. think malware traffic, etc.) such as https://www.openpacket.org/ You would use tcpreplay to play these pcaps back from another system, or the snort system itself to try and force snort to trigger against the PCAP. Tip: If you want snort to trigger against PCAPs, make sure you use -k none or disable checksumming in snort.conf. 2) Waldo Kitty is probably thinking of scapy. Scapy is a packet crafting tool that can be used to modify and create packets of various types. more info at http://www.secdev.org/projects/scapy/ as far as I remember, scapy is included in backtrack. 3) There is another tool called udpflood that can be used to well, flood your network with UDP traffic, but what's interesting about this program is that you can specify a payload as well: http://www.mcafee.com/us/downloads/free-tools/udpflood.aspx 4) Lastly, there's the overkill approach: build your own virtual network and use NMAP/Metasploit/Armitage/W3AF and launch exploits against other virtual machines -- this is how I do my testing. If there's enough interest in this, I may do a write-up on how I configure my virtual lab for testing signatures. It's nothing fancy, but if the snort community thinks it would be beneficial, I would happily contribute it. Hope this helps you -Tony/da667 On Fri, Aug 24, 2012 at 2:26 AM, Pratik Narang <pratik.cse.bits () gmail com> wrote: Dear Snort users, A good deal of Snort rules do a 'content' check. Can I use some utility so that I may be able to craft or tamper packets just to suit them to trigger Snort rules of my choice? Essentially, I guess, I am asking if I can create sample pcaps or modify actual pcap captures which will trigger certain rules. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- when does reality end? when does fantasy begin? ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- pcaps for triggering rules Pratik Narang (Aug 23)
- Re: pcaps for triggering rules waldo kitty (Aug 23)
- Re: pcaps for triggering rules Tony Robinson (Aug 23)
- Re: pcaps for triggering rules Sunny James Fugate (Aug 24)
- Re: pcaps for triggering rules Joel Esler (Aug 24)
- Re: pcaps for triggering rules Sunny James Fugate (Aug 24)
- Re: pcaps for triggering rules Gmail Personal (Aug 24)
- Re: pcaps for triggering rules Tony Robinson (Aug 24)
- Re: pcaps for triggering rules Pratik Narang (Aug 24)
- Re: pcaps for triggering rules Tony Robinson (Aug 24)
- Re: pcaps for triggering rules Peter Bates (Aug 24)
- Re: pcaps for triggering rules Heine Lysemose (Aug 24)
- Re: pcaps for triggering rules Gmail Personal (Aug 24)
- Re: pcaps for triggering rules Gmail Personal (Aug 24)
- Re: pcaps for triggering rules Pratik Narang (Aug 24)
- Re: pcaps for triggering rules Joel Esler (Aug 24)
- Re: pcaps for triggering rules Heine Lysemose (Aug 24)
(Thread continues...)