[Snort-users] pcaps for triggering rules

Peter Bates peter.bates at ...15381...
Fri Aug 24 04:01:17 EDT 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello all

On 24/08/2012 07:26, Pratik Narang wrote:
> A good deal of Snort rules do a 'content' check. Can I use some
> utility so that I may be able to craft or tamper packets just to
> suit them to trigger Snort rules of my choice? Essentially, I
> guess, I am asking if I can create sample pcaps or modify actual
> pcap captures which will trigger certain rules.

Others have replied with better suggestions but I just thought I'd
also suggest Pytbull - http://pytbull.sourceforge.net/

Last time I tried it out most of the 'content' checks failed dismally
but then they are for the download of very specific malware.

- -- 
Peter Bates
Senior Computer Security Officer    Phone: +44(0)2076792049
Information Services Division	    Internal Ext: 32049
University College London
London WC1E 6BT
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQNzTNAAoJELhVoVpEMS6RPicIAJNEFGGHHTelaC+NR2uF3Eb5
QCXAplkjfIZwauC9HZYLoDRVHNZOTDk8FSlB2KsWoKlpI+EdopIHUc6PNqWq43hW
33HVH1h4XNX4GNO6hmd/GQ6HGmeEZpZzlQ1yV9bSxGmu2n3Z7W9ASIL9DwjrHhl0
2SrMzZJHsYX7JwtrPTRp82iyp6k/J1RMM2t8X8owtJRwwYi/IBIBUEEbArGjllZ1
2ODi3V5nTMP5zBgghJo6UNttYhELUKjzZ0hKgKaGiYGZ4xPVKaBLFBakUSziblr6
inLdOjb6ZV972yi9LDQsyMcE9El+0F5JpYb7EV9fTRe7RWc7fbJHuYzIC4OoT6E=
=ETiY
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list