[Snort-devel] How to generate fake Packets?

Jason Brvenik jasonb at ...402...
Mon Jun 30 12:27:19 EDT 2008


You could look at the portscan preprocessor for an example of how to do 
that.

Justin Heath wrote:
> Sorry, misunderstanding on my part.
> 
> 
> Cheers,
> J
> 
> On Mon, Jun 30, 2008 at 12:05 PM, Salvo Danilo Giuffrida
> <salvodanilogiuffrida at ...2499...> wrote:
>> No, maybe you didn't understand me, but I need to generate at least a
>> "fake" packet from inside Snort, because otherwise the alerts
>> generated inside my preprocessor aren't registered in the
>> /var/log/snort/alert file, even if I successfully insert them in the
>> event queue...That's because apparently every alert must be tied to a
>> packet...
>>
>> 2008/6/30 Justin Heath <justin.heath at ...2499...>:
>>> Rather than creating a "fake" packet. You would probably be better
>>> served by creating a really generic rule, such as
>>>
>>> alert tcp any any -> any any (msg: "TCP Stuff"; sid:12345678;)
>>>
>>> Use stdout options (such as -A cmg) to see the alerts as they are generated.
>>>
>>> If your dead set an creating "fake" packets and you wants something
>>> easy try editing an existing pcap with netdude. Otherwise try
>>> something like Scapy.
>>>
>>>
>>> Cheers,
>>> Justin
>>>
>>>
>>> On Mon, Jun 30, 2008 at 4:17 AM, Salvo Danilo Giuffrida
>>> <salvodanilogiuffrida at ...2499...> wrote:
>>>> Hello, to try to solve the problems I have in generating alerts, I'm
>>>> exploring the possibility of creating a 'fake' packet when I want to
>>>> generate one, and then call 'SetEvent' and 'CallAlertFuncs' to
>>>> generate an Event and tie it to the fake packet, so maybe I'll be able
>>>> to see alerts as soon as I generate them, not only when I quit Snort,
>>>> and only at the maximum value configured in the snort.conf file....
>>>> So, apart from manually filling a Packet structure, is there any
>>>> simpler way to generate a fake packet in Snort (by 'fake' I mean a
>>>> packet that for example has the same source and destination, like
>>>> 127.0.0.1 or 0.0.0.0)?
>>>> Thanks a lot
>>>>
>>>> -------------------------------------------------------------------------
>>>> Check out the new SourceForge.net Marketplace.
>>>> It's the best place to buy or sell services for
>>>> just about anything Open Source.
>>>> http://sourceforge.net/services/buy/index.php
>>>> _______________________________________________
>>>> Snort-devel mailing list
>>>> Snort-devel at lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>>
> 
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://sourceforge.net/services/buy/index.php
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list