Re: Triggering a complex snort rule (packet forging)

[Asiri Rathnayake <asiri.rathnayake () gmail com>]

Following reply was sent only to wkitty by mistake. Re-sending it to the
list just for reference.

Thanks all!

- Asiri

On Tue, Apr 2, 2013 at 5:21 PM, Asiri Rathnayake <asiri.rathnayake () gmail com
> wrote:

> Hello,
>
> On Tue, Apr 2, 2013 at 4:36 PM, waldo kitty <wkitty42 () windstream net>wrote:
>
> > On 4/2/2013 07:28, Asiri Rathnayake wrote:
> > > May be I should've been more specific, sorry about that. I need to
> > trigger the
> > > rule from the outside, without depending on the client.
> >
> > your rule requires an "established" connection so there has to be another
> > end of
> > the pipeline... the "server" is one end but where is the data going if
> > there is
> > no client involved?
> >
> > it may be possible, as others have pointed out, to simulate it via
> > constructed
> > pcaps, though... not really something i'd want to attempt unless there is
> > a tool
> > that can easily generate such a pcap of sufficient size... i'm not aware
> > of one
> > but others may be...
> >
> > my initial gut reaction says the /easiest/ method would be to use a
> > scripted
> > client and a remote server...
>
> I agree with you on all the points. However, I have a specific requirement
> of being able to trigger the rule from the outside.
>
> This requirement came from a research we're currently working on:
>
> http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml
>
> It's possible for rule writers to introduce vulnerable regular expressions
> into their PCRE rules which could be exploitable. We found several such
> rules but all of them seem to be looking at some sort of response traffic.
>
> This is why I started investigating if it's possible to trigger those
> rules without involving a client. If I can figure out a way to trigger the
> rules that way, then I might be able to send malicious packets to a snort
> protected network and see how snort will handle the situation.
>
> I didn't want to go into these details because our research is very
> specific. But may be I over-simplified the problem by trying to avoid
> talking about it.
>
> It seems what I'm trying to do is extremely uncommon, and the usual
> approach is to get some support from the client. Having the support from
> the client would work really well for testing this kind of rules, but as
> far as I can understand, it wouldn't help much if I'm trying to
> (repeatedly) trigger a rule from the outside.
>
> Many thanks for all of your inputs!
>
> - Asiri
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!