Snort mailing list archives
Re: Triggering a complex snort rule (packet forging)
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 2 Apr 2013 08:11:50 -0500
On 04/02/2013 06:13 AM, Asiri Rathnayake wrote:
I was wondering if it's possible to forge packets with Scapy [1] and throw them at HOME_NET in such a way that would make Snort believe that those packets correspond to the signature in the rule above. Would Snort fall into such forged traffic?
I believe the issue in using Scapy is that you're trying to forge an HTTP Response header/body but at the same time the example signature you've provided is using flow:to_client,established. I'm not sure if, with regard to Scapy, you're going to be forging a PSH packet alone. Honestly, I'm not quite sure how you would use Scapy in this scenario successfully since the client machine is expecting to be the one establishing the connection and expecting a PSH (reasonable expectation, I know RST, and lack of 3-way).
I found [3] while reading [2], but it seems rule2alert is in an early stage of development (it says it can only handle simple rules). If someone can kindly confirm if the strategy I have highlighted above is viable, then I will be able to dig deeper into forging packets with Scapy. I thought it would be wise to ask here first just in case if I'm headed the wrong way (I'm a bit new to IDP/IDS domain).
Welcome to the IDS fun :) I'd just stand up a webserver you can control over and craft the pages to send the payload you're attempting to match on. This is what I do and it's much easier than packet forging. Also, consider too, this is as close as you can get to real world examples of the content you're trying to match on. You're behaving exactly as a webserver should and you don't need to worry about false negatives or false positives as a result of packet forging/crafting on the wire. Cheers and hope this helped, Nathan Fowler ------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2 _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Triggering a complex snort rule (packet forging), (continued)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) waldo kitty (Apr 02)
- Message not available
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) waldo kitty (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) lists () packetmail net (Apr 02)