[Snort-sigs] Triggering a complex snort rule (packet forging)

Jamie Riden jamie.riden at ...2420...
Tue Apr 2 08:31:47 EDT 2013


You could look at grabbing a real packet and using tcpreplay maybe?


On 2 April 2013 13:28, Asiri Rathnayake <asiri.rathnayake at ...2420...> wrote:

> Hi Jamie,
>
> Thank you for the quick response!
>
> Wouldn't the easiest way be to set up a page on a remote webserver which
>> matches the signature (content:"") ? Then you could hit download as much as
>> you like, and you should get an alert.
>>
>
> For testing the rule repeatedly, yes, this would work.
>
> However, this involves the client (hitting download). What I'm interested
> in is if I could simply send packets from outside and trigger the rule
> (without having the client to do anything). This is why I was looking into
> packet forging, sort of like trying to emulate return traffic from the
> server (matching the signature of the rule).
>
> May be I should've been more specific, sorry about that. I need to trigger
> the rule from the outside, without depending on the client.
>
> Many thanks.
>
> - Asiri
>
>
>>
>>
>> thanks,
>>  Jamie
>> --
>> Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
>> http://uk.linkedin.com/in/jamieriden
>>
>>
>>
>


-- 
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/71f28c44/attachment.html>


More information about the Snort-sigs mailing list