[Snort-sigs] Triggering a complex snort rule (packet forging)

Asiri Rathnayake asiri.rathnayake at ...2420...
Tue Apr 2 17:47:50 EDT 2013


Hi Nathan,


On Tue, Apr 2, 2013 at 2:11 PM, lists at ...3397...
<lists at ...3397...>wrote:

> On 04/02/2013 06:13 AM, Asiri Rathnayake wrote:
> >
> > I was wondering if it's possible to forge packets with Scapy [1] and
> throw them
> > at HOME_NET in such a way that would make Snort believe that those
> packets
> > correspond to the signature in the rule above. Would Snort fall into
> such forged
> > traffic?
>
> I believe the issue in using Scapy is that you're trying to forge an HTTP
> Response header/body but at the same time the example signature you've
> provided
> is using flow:to_client,established.  I'm not sure if, with regard to
> Scapy,
> you're going to be forging a PSH packet alone.  Honestly, I'm not quite
> sure how
> you would use Scapy in this scenario successfully since the client machine
> is
> expecting to be the one establishing the connection and expecting a PSH
> (reasonable expectation, I know RST, and lack of 3-way).


It took me some time to digest some of the things you mentioned but I think
you are correct.

While I might be able to forge packets with Scapy, it looks like I'll have
a hard time escaping the Stream5 TCP re-assembly module. After reading
[1,2,3] and several other articles on the web, I've come to conclude that I
cannot simply "throw packets from outside" matching the rule signature I
mentioned. My guess is Stream5 pre-processor module will detect that there
was no established flow and it will either reject the packet or let it pass
through but not consider it as matching the rule signature (since no
established flow).

I hope this understanding is correct.

Many thanks.

- Asiri

[1] http://blog.snort.org/2011/09/flow-matters.html
[2] http://manual.snort.org/node33.html#SECTION00469000000000000000
[3] http://manual.snort.org/node17.html#stream5_section
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/422bc177/attachment.html>


More information about the Snort-sigs mailing list