[Snort-devel] Evading Snort via splitting ACKs
cmg at ...402...
Tue Sep 24 12:24:10 EDT 2002
"David J. Bianco" <bianco at ...1589...> writes:
> A couple of people have asked for my sample code, so I'm attaching it
> below. I've only ever tried to compile it under RedHat 7.3, but I think
> it stands a reasonable chance of working elsewhere. You'll need both
> libnet and libpcap. Documentation is in the comments at the beginning.
> I'd appreciate knowing what your experiences are with this code, and
> maybe others would too, so perhaps posting them to list would be
David graciously provided me with pcap dumps when I couldn't get the
arp poisoning working against an OS X box ( too many variables to
trouble shoot )..
> * alert tcp $EXTERNAL_NET any -> www.yourdomain.net 7 (msg: "ECHO
> * SAMPLE ATTACK"; flags:A+; uricontent:"HEAD /"; nocase;
> * classtype:web-application-attack;)
One thing that is wrong about this rule is that uricontent should
instead be content because uricontent ignores the request method since
it's not a part of the uri.
alert tcp $EXTERNAL_NET any -> any any (msg: "ECHO SAMPLE ATTACK"; \
flow: to_server,established; content:"HEAD /";
Works as expected under 1.9. There were a couple of places in the
1.8.x series and earlier beta's that needed to be cleaned up in this
ACK artifact handling. Expect 1.9.0 coming soon to a theatre near
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel