[Snort-devel] Evading Snort via splitting ACKs

Chris Green cmg at ...402...
Tue Sep 24 12:24:10 EDT 2002

"David J. Bianco" <bianco at ...1589...> writes:

> A couple of people have asked for my sample code, so I'm attaching it
> below.  I've only ever tried to compile it under RedHat 7.3, but I think
> it stands a reasonable chance of working elsewhere.  You'll need both
> libnet and libpcap.  Documentation is in the comments at the beginning.
> I'd appreciate knowing what your experiences are with this code, and 
> maybe others would too, so perhaps posting them to list would be
> appropriate.

David graciously provided me with pcap dumps when I couldn't get the
arp poisoning working against an OS X box ( too many variables to
trouble shoot )..

>  *
>  * alert tcp $EXTERNAL_NET any -> www.yourdomain.net 7 (msg: "ECHO
>  * SAMPLE ATTACK"; flags:A+; uricontent:"HEAD /"; nocase;
>  * classtype:web-application-attack;)

One thing that is wrong about this rule is that uricontent should
instead be content because uricontent ignores the request method since
it's not a part of the uri.

alert tcp $EXTERNAL_NET any -> any any (msg: "ECHO SAMPLE ATTACK"; \
flow: to_server,established; content:"HEAD /";
nocase; classtype:web-application-attack;)

Works as expected under 1.9.  There were a couple of places in the
1.8.x series and earlier beta's that needed to be cleaned up in this
ACK artifact handling.  Expect 1.9.0 coming soon to a theatre near
you. :^)
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-devel mailing list