[Snort-devel] How to generate fake Packets?

Justin Heath justin.heath at ...2499...
Mon Jun 30 12:07:03 EDT 2008


Sorry, misunderstanding on my part.


Cheers,
J

On Mon, Jun 30, 2008 at 12:05 PM, Salvo Danilo Giuffrida
<salvodanilogiuffrida at ...2499...> wrote:
> No, maybe you didn't understand me, but I need to generate at least a
> "fake" packet from inside Snort, because otherwise the alerts
> generated inside my preprocessor aren't registered in the
> /var/log/snort/alert file, even if I successfully insert them in the
> event queue...That's because apparently every alert must be tied to a
> packet...
>
> 2008/6/30 Justin Heath <justin.heath at ...2499...>:
>> Rather than creating a "fake" packet. You would probably be better
>> served by creating a really generic rule, such as
>>
>> alert tcp any any -> any any (msg: "TCP Stuff"; sid:12345678;)
>>
>> Use stdout options (such as -A cmg) to see the alerts as they are generated.
>>
>> If your dead set an creating "fake" packets and you wants something
>> easy try editing an existing pcap with netdude. Otherwise try
>> something like Scapy.
>>
>>
>> Cheers,
>> Justin
>>
>>
>> On Mon, Jun 30, 2008 at 4:17 AM, Salvo Danilo Giuffrida
>> <salvodanilogiuffrida at ...2499...> wrote:
>>> Hello, to try to solve the problems I have in generating alerts, I'm
>>> exploring the possibility of creating a 'fake' packet when I want to
>>> generate one, and then call 'SetEvent' and 'CallAlertFuncs' to
>>> generate an Event and tie it to the fake packet, so maybe I'll be able
>>> to see alerts as soon as I generate them, not only when I quit Snort,
>>> and only at the maximum value configured in the snort.conf file....
>>> So, apart from manually filling a Packet structure, is there any
>>> simpler way to generate a fake packet in Snort (by 'fake' I mean a
>>> packet that for example has the same source and destination, like
>>> 127.0.0.1 or 0.0.0.0)?
>>> Thanks a lot
>>>
>>> -------------------------------------------------------------------------
>>> Check out the new SourceForge.net Marketplace.
>>> It's the best place to buy or sell services for
>>> just about anything Open Source.
>>> http://sourceforge.net/services/buy/index.php
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>
>




More information about the Snort-devel mailing list