[Snort-devel] Triggering a complex snort rule (packet forging)

Asiri Rathnayake asiri.rathnayake at ...2499...
Tue Apr 2 07:10:10 EDT 2013


Hello Again,

This email was supposed to be sent to the users list. Please ignore this.

Sorry.

- Asiri


On Tue, Apr 2, 2013 at 12:07 PM, Asiri Rathnayake <
asiri.rathnayake at ...2499...> wrote:

> Dear All,
>
> This may be a bit naive question but I couldn't find a definitive answer
> on the web.
>
> Let's say we have a rule of the following form:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...";
> flow:to_client,established; content:"..."; nocase; http_header;
> metadata:service http; classtype:attempted-user; ...)
>
> This rule will only be triggered on the return traffic from some server
> (?). If I understand correctly, this means the client (a computer on the
> HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is
> looking into the response from the server.
>
> My question is, how can such a rule be tested? (I need to trigger the rule
> repeatedly)
>
> I was wondering if it's possible to forge packets with Scapy [1] and throw
> them at HOME_NET in such a way that would make Snort believe that those
> packets correspond to the signature in the rule above. Would Snort fall
> into such forged traffic?
>
> I found [3] while reading [2], but it seems rule2alert is in an early
> stage of development (it says it can only handle simple rules). If someone
> can kindly confirm if the strategy I have highlighted above is viable, then
> I will be able to dig deeper into forging packets with Scapy. I thought it
> would be wise to ask here first just in case if I'm headed the wrong way
> (I'm a bit new to IDP/IDS domain).
>
> Thanks a lot for your time.
>
> - Asiri
>
>
> [1] http://www.secdev.org/projects/scapy/
> [2] http://seclists.org/snort/2011/q1/648
> [3] https://code.google.com/p/rule2alert/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130402/4d7844d9/attachment.html>


More information about the Snort-devel mailing list