[Snort-sigs] Triggering a complex snort rule (packet forging)

Jamie Riden jamie.riden at ...2420...
Tue Apr 2 08:15:51 EDT 2013

On 2 April 2013 12:13, Asiri Rathnayake <asiri.rathnayake at ...2420...> wrote:

> Dear All,
> This may be a bit naive question but I couldn't find a definitive answer
> on the web.
> Let's say we have a rule of the following form:
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...";
> flow:to_client,established; content:"..."; nocase; http_header;
> metadata:service http; classtype:attempted-user; ...)
> This rule will only be triggered on the return traffic from some server
> (?). If I understand correctly, this means the client (a computer on the
> HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is
> looking into the response from the server.
> My question is, how can such a rule be tested? (I need to trigger the rule
> repeatedly)
Wouldn't the easiest way be to set up a page on a remote webserver which
matches the signature (content:"") ? Then you could hit download as much as
you like, and you should get an alert.

Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/311e457f/attachment.html>

More information about the Snort-sigs mailing list