[Snort-users] pcaps for triggering rules

Sunny James Fugate sunny.fugate at ...11827...
Fri Aug 24 10:32:09 EDT 2012


There is also the sneeze.pl script.  --> http://www.securiteam.com/tools/5DP0T0AB5G.html

I haven't tried this script in years, but might still work to a limited extent. If nothing else, it presents a method which could be duplicated/updated.  It looks like its missing a bunch of recent content modification options (seems to only implement "offset").  

Cheers, 

Sunny



On Aug 24, 2012, at 12:53 AM, Tony Robinson wrote:

> There's a number of ways you can go about doing this, Pratik.
> 
> 1) there are some places on the net that have packet captures of known malicious content (e.g. think malware traffic, etc.)
> such as https://www.openpacket.org/
> 
> You would use tcpreplay to play these pcaps back from another system, or the snort system itself to try and force snort to trigger against the PCAP.
> 
> Tip: If you want snort to trigger against PCAPs, make sure you use -k none or disable checksumming in snort.conf.
> 
> 2) Waldo Kitty is probably thinking of scapy. Scapy is a packet crafting tool that can be used to modify and create packets of various types. more info at http://www.secdev.org/projects/scapy/
> 
> as far as I remember, scapy is included in backtrack.
> 
> 3) There is another tool called udpflood that can be used to well, flood your network with UDP traffic, but what's interesting about this program is that you can specify a payload as well:
> 
> http://www.mcafee.com/us/downloads/free-tools/udpflood.aspx
> 
> 4) Lastly, there's the overkill approach: build your own virtual network and use NMAP/Metasploit/Armitage/W3AF and launch exploits against other virtual machines -- this is how I do my testing. If there's enough interest in this, I may do a write-up on how I configure my virtual lab for testing signatures. It's nothing fancy, but if the snort community thinks it would be beneficial, I would happily contribute it.
> 
> Hope this helps you
> 
> -Tony/da667
> 
> On Fri, Aug 24, 2012 at 2:26 AM, Pratik Narang <pratik.cse.bits at ...14459.....> wrote:
> Dear Snort users,
> 
> A good deal of Snort rules do a 'content' check.
> Can I use some utility so that I may be able to craft or tamper
> packets just to suit them to trigger Snort rules of my choice?
> Essentially, I guess, I am asking if I can create sample pcaps or
> modify actual pcap captures which will trigger certain rules.
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> 
> -- 
> when does reality end? when does fantasy begin?
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list