[Snort-sigs] Triggering a complex snort rule (packet forging)

Asiri Rathnayake asiri.rathnayake at ...2420...
Tue Apr 2 18:01:04 EDT 2013


Following reply was sent only to wkitty by mistake. Re-sending it to the
list just for reference.

Thanks all!

- Asiri

On Tue, Apr 2, 2013 at 5:21 PM, Asiri Rathnayake <asiri.rathnayake at ...2420...
> wrote:

> Hello,
>
> On Tue, Apr 2, 2013 at 4:36 PM, waldo kitty <wkitty42 at ...3507...>wrote:
>
>> On 4/2/2013 07:28, Asiri Rathnayake wrote:
>> > May be I should've been more specific, sorry about that. I need to
>> trigger the
>> > rule from the outside, without depending on the client.
>>
>> your rule requires an "established" connection so there has to be another
>> end of
>> the pipeline... the "server" is one end but where is the data going if
>> there is
>> no client involved?
>>
>> it may be possible, as others have pointed out, to simulate it via
>> constructed
>> pcaps, though... not really something i'd want to attempt unless there is
>> a tool
>> that can easily generate such a pcap of sufficient size... i'm not aware
>> of one
>> but others may be...
>>
>> my initial gut reaction says the /easiest/ method would be to use a
>> scripted
>> client and a remote server...
>>
>
> I agree with you on all the points. However, I have a specific requirement
> of being able to trigger the rule from the outside.
>
> This requirement came from a research we're currently working on:
>
> http://www.cs.bham.ac.uk/~hxt/research/rxxr.shtml
>
> It's possible for rule writers to introduce vulnerable regular expressions
> into their PCRE rules which could be exploitable. We found several such
> rules but all of them seem to be looking at some sort of response traffic.
>
> This is why I started investigating if it's possible to trigger those
> rules without involving a client. If I can figure out a way to trigger the
> rules that way, then I might be able to send malicious packets to a snort
> protected network and see how snort will handle the situation.
>
> I didn't want to go into these details because our research is very
> specific. But may be I over-simplified the problem by trying to avoid
> talking about it.
>
> It seems what I'm trying to do is extremely uncommon, and the usual
> approach is to get some support from the client. Having the support from
> the client would work really well for testing this kind of rules, but as
> far as I can understand, it wouldn't help much if I'm trying to
> (repeatedly) trigger a rule from the outside.
>
> Many thanks for all of your inputs!
>
> - Asiri
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130402/418d6a62/attachment.html>


More information about the Snort-sigs mailing list