Snort mailing list archives
Re: Triggering a complex snort rule (packet forging)
From: Asiri Rathnayake <asiri.rathnayake () gmail com>
Date: Tue, 2 Apr 2013 22:47:50 +0100
Hi Nathan, On Tue, Apr 2, 2013 at 2:11 PM, lists () packetmail net <lists () packetmail net>wrote:
On 04/02/2013 06:13 AM, Asiri Rathnayake wrote:I was wondering if it's possible to forge packets with Scapy [1] andthrow themat HOME_NET in such a way that would make Snort believe that thosepacketscorrespond to the signature in the rule above. Would Snort fall intosuch forgedtraffic?I believe the issue in using Scapy is that you're trying to forge an HTTP Response header/body but at the same time the example signature you've provided is using flow:to_client,established. I'm not sure if, with regard to Scapy, you're going to be forging a PSH packet alone. Honestly, I'm not quite sure how you would use Scapy in this scenario successfully since the client machine is expecting to be the one establishing the connection and expecting a PSH (reasonable expectation, I know RST, and lack of 3-way).
It took me some time to digest some of the things you mentioned but I think you are correct. While I might be able to forge packets with Scapy, it looks like I'll have a hard time escaping the Stream5 TCP re-assembly module. After reading [1,2,3] and several other articles on the web, I've come to conclude that I cannot simply "throw packets from outside" matching the rule signature I mentioned. My guess is Stream5 pre-processor module will detect that there was no established flow and it will either reject the packet or let it pass through but not consider it as matching the rule signature (since no established flow). I hope this understanding is correct. Many thanks. - Asiri [1] http://blog.snort.org/2011/09/flow-matters.html [2] http://manual.snort.org/node33.html#SECTION00469000000000000000 [3] http://manual.snort.org/node17.html#stream5_section
------------------------------------------------------------------------------ Minimize network downtime and maximize team effectiveness. Reduce network management and security costs.Learn how to hire the most talented Cisco Certified professionals. Visit the Employer Resources Portal http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Re: Triggering a complex snort rule (packet forging), (continued)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Jamie Riden (Apr 02)
- Re: Triggering a complex snort rule (packet forging) waldo kitty (Apr 02)
- Message not available
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) waldo kitty (Apr 02)
- Re: Triggering a complex snort rule (packet forging) Asiri Rathnayake (Apr 02)
- Re: Triggering a complex snort rule (packet forging) lists () packetmail net (Apr 02)