[Snort-sigs] How to simulate attacks using CASL

Matt Kettler mkettler at ...189...
Tue Feb 3 10:19:09 EST 2004

At 08:22 AM 2/3/2004, Bini Mary Thomas wrote:
>Dear all,
>        i was trying to simulate security attacks with CASL. My problem
>is that i cannot simulate attacks which has to make an established TCP
>connection. Kernel is not letting to complete the handshake.for the
>initial SYN packet i am getting reply(SYN and ACK set) from server.but
>then, the client kernel is sending a RST in the reply..
>           is there a way to stop the packet from going to the kernel in
>CASL? so that the kernel will not sent a reset ....

1) this belongs on snort-users, not snort-sigs. Just a FYI for future postings.

2) I'd suggest using IPTables, IPF, or whatever your local kernel-level 
firewall tool is to force the system to silently drop the syn-ack packets 
before sending them to the IP stack. Since CASL uses wire-level sniffing 
(just like snort does) it will still see the syn-ack packets, even if 
iptables/ipf/whatever kills it.

More information about the Snort-sigs mailing list