[Snort-users] pcaps for triggering rules

Gmail Personal mainmen1985 at ...11827...
Fri Aug 24 05:17:07 EDT 2012


I'm currently writing a thesis comparing Scapy vs Pytbull evasion techniques on Suricata and Snort

pytbull is a good tool, but the evasion attempts aren't as In depth and IP/TCP based as scapy. The setup is VERY easy though



Emeka Agu | Sent from  iPad

On 24 Aug 2012, at 09:01, Peter Bates <peter.bates at ...15381...> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hello all
> 
> On 24/08/2012 07:26, Pratik Narang wrote:
>> A good deal of Snort rules do a 'content' check. Can I use some
>> utility so that I may be able to craft or tamper packets just to
>> suit them to trigger Snort rules of my choice? Essentially, I
>> guess, I am asking if I can create sample pcaps or modify actual
>> pcap captures which will trigger certain rules.
> 
> Others have replied with better suggestions but I just thought I'd
> also suggest Pytbull - http://pytbull.sourceforge.net/
> 
> Last time I tried it out most of the 'content' checks failed dismally
> but then they are for the download of very specific malware.
> 
> - -- 
> Peter Bates
> Senior Computer Security Officer    Phone: +44(0)2076792049
> Information Services Division        Internal Ext: 32049
> University College London
> London WC1E 6BT
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJQNzTNAAoJELhVoVpEMS6RPicIAJNEFGGHHTelaC+NR2uF3Eb5
> QCXAplkjfIZwauC9HZYLoDRVHNZOTDk8FSlB2KsWoKlpI+EdopIHUc6PNqWq43hW
> 33HVH1h4XNX4GNO6hmd/GQ6HGmeEZpZzlQ1yV9bSxGmu2n3Z7W9ASIL9DwjrHhl0
> 2SrMzZJHsYX7JwtrPTRp82iyp6k/J1RMM2t8X8owtJRwwYi/IBIBUEEbArGjllZ1
> 2ODi3V5nTMP5zBgghJo6UNttYhELUKjzZ0hKgKaGiYGZ4xPVKaBLFBakUSziblr6
> inLdOjb6ZV972yi9LDQsyMcE9El+0F5JpYb7EV9fTRe7RWc7fbJHuYzIC4OoT6E=
> =ETiY
> -----END PGP SIGNATURE-----
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120824/35467278/attachment.html>


More information about the Snort-users mailing list