[Snort-sigs] Triggering a complex snort rule (packet forging)

Asiri Rathnayake asiri.rathnayake at ...2420...
Tue Apr 2 08:28:48 EDT 2013

Hi Jamie,

Thank you for the quick response!

Wouldn't the easiest way be to set up a page on a remote webserver which
> matches the signature (content:"") ? Then you could hit download as much as
> you like, and you should get an alert.

For testing the rule repeatedly, yes, this would work.

However, this involves the client (hitting download). What I'm interested
in is if I could simply send packets from outside and trigger the rule
(without having the client to do anything). This is why I was looking into
packet forging, sort of like trying to emulate return traffic from the
server (matching the signature of the rule).

May be I should've been more specific, sorry about that. I need to trigger
the rule from the outside, without depending on the client.

Many thanks.

- Asiri

> thanks,
>  Jamie
> --
> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
> http://uk.linkedin.com/in/jamieriden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/463591e9/attachment.html>

More information about the Snort-sigs mailing list