[Snort-sigs] Triggering a complex snort rule (packet forging)
asiri.rathnayake at ...2420...
Tue Apr 2 18:01:04 EDT 2013
Following reply was sent only to wkitty by mistake. Re-sending it to the
list just for reference.
On Tue, Apr 2, 2013 at 5:21 PM, Asiri Rathnayake <asiri.rathnayake at ...2420...
> On Tue, Apr 2, 2013 at 4:36 PM, waldo kitty <wkitty42 at ...3507...>wrote:
>> On 4/2/2013 07:28, Asiri Rathnayake wrote:
>> > May be I should've been more specific, sorry about that. I need to
>> trigger the
>> > rule from the outside, without depending on the client.
>> your rule requires an "established" connection so there has to be another
>> end of
>> the pipeline... the "server" is one end but where is the data going if
>> there is
>> no client involved?
>> it may be possible, as others have pointed out, to simulate it via
>> pcaps, though... not really something i'd want to attempt unless there is
>> a tool
>> that can easily generate such a pcap of sufficient size... i'm not aware
>> of one
>> but others may be...
>> my initial gut reaction says the /easiest/ method would be to use a
>> client and a remote server...
> I agree with you on all the points. However, I have a specific requirement
> of being able to trigger the rule from the outside.
> This requirement came from a research we're currently working on:
> It's possible for rule writers to introduce vulnerable regular expressions
> into their PCRE rules which could be exploitable. We found several such
> rules but all of them seem to be looking at some sort of response traffic.
> This is why I started investigating if it's possible to trigger those
> rules without involving a client. If I can figure out a way to trigger the
> rules that way, then I might be able to send malicious packets to a snort
> protected network and see how snort will handle the situation.
> I didn't want to go into these details because our research is very
> specific. But may be I over-simplified the problem by trying to avoid
> talking about it.
> It seems what I'm trying to do is extremely uncommon, and the usual
> approach is to get some support from the client. Having the support from
> the client would work really well for testing this kind of rules, but as
> far as I can understand, it wouldn't help much if I'm trying to
> (repeatedly) trigger a rule from the outside.
> Many thanks for all of your inputs!
> - Asiri
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs