[Snort-devel] How to generate fake Packets?

Justin Heath justin.heath at ...2499...
Mon Jun 30 11:52:19 EDT 2008


Rather than creating a "fake" packet. You would probably be better
served by creating a really generic rule, such as

alert tcp any any -> any any (msg: "TCP Stuff"; sid:12345678;)

Use stdout options (such as -A cmg) to see the alerts as they are generated.

If your dead set an creating "fake" packets and you wants something
easy try editing an existing pcap with netdude. Otherwise try
something like Scapy.


Cheers,
Justin


On Mon, Jun 30, 2008 at 4:17 AM, Salvo Danilo Giuffrida
<salvodanilogiuffrida at ...2499...> wrote:
> Hello, to try to solve the problems I have in generating alerts, I'm
> exploring the possibility of creating a 'fake' packet when I want to
> generate one, and then call 'SetEvent' and 'CallAlertFuncs' to
> generate an Event and tie it to the fake packet, so maybe I'll be able
> to see alerts as soon as I generate them, not only when I quit Snort,
> and only at the maximum value configured in the snort.conf file....
> So, apart from manually filling a Packet structure, is there any
> simpler way to generate a fake packet in Snort (by 'fake' I mean a
> packet that for example has the same source and destination, like
> 127.0.0.1 or 0.0.0.0)?
> Thanks a lot
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>




More information about the Snort-devel mailing list