[Snort-sigs] Triggering a complex snort rule (packet forging)

lists at ...3397... lists at ...3397...
Tue Apr 2 09:11:50 EDT 2013

On 04/02/2013 06:13 AM, Asiri Rathnayake wrote:
> I was wondering if it's possible to forge packets with Scapy [1] and throw them
> at HOME_NET in such a way that would make Snort believe that those packets
> correspond to the signature in the rule above. Would Snort fall into such forged
> traffic?

I believe the issue in using Scapy is that you're trying to forge an HTTP
Response header/body but at the same time the example signature you've provided
is using flow:to_client,established.  I'm not sure if, with regard to Scapy,
you're going to be forging a PSH packet alone.  Honestly, I'm not quite sure how
you would use Scapy in this scenario successfully since the client machine is
expecting to be the one establishing the connection and expecting a PSH
(reasonable expectation, I know RST, and lack of 3-way).

> I found [3] while reading [2], but it seems rule2alert is in an early stage of
> development (it says it can only handle simple rules). If someone can kindly
> confirm if the strategy I have highlighted above is viable, then I will be able
> to dig deeper into forging packets with Scapy. I thought it would be wise to ask
> here first just in case if I'm headed the wrong way (I'm a bit new to IDP/IDS
> domain).

Welcome to the IDS fun :)  I'd just stand up a webserver you can control over
and craft the pages to send the payload you're attempting to match on.  This is
what I do and it's much easier than packet forging.  Also, consider too, this is
as close as you can get to real world examples of the content you're trying to
match on.  You're behaving exactly as a webserver should and you don't need to
worry about false negatives or false positives as a result of packet
forging/crafting on the wire.

Cheers and hope this helped,
Nathan Fowler

More information about the Snort-sigs mailing list