[Snort-users] pcaps for triggering rules

Joel Esler jesler at ...1935...
Fri Aug 24 11:06:49 EDT 2012


I don't think that works anymore since Sneeze sends stateless packets and Snort is a stateful engine.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Aug 24, 2012, at 10:32 AM, Sunny James Fugate <sunny.fugate at ...11827...> wrote:

> There is also the sneeze.pl script.  --> http://www.securiteam.com/tools/5DP0T0AB5G.html
> 
> I haven't tried this script in years, but might still work to a limited extent. If nothing else, it presents a method which could be duplicated/updated.  It looks like its missing a bunch of recent content modification options (seems to only implement "offset").  
> 
> Cheers, 
> 
> Sunny
> 
> 
> 
> On Aug 24, 2012, at 12:53 AM, Tony Robinson wrote:
> 
>> There's a number of ways you can go about doing this, Pratik.
>> 
>> 1) there are some places on the net that have packet captures of known malicious content (e.g. think malware traffic, etc.)
>> such as https://www.openpacket.org/
>> 
>> You would use tcpreplay to play these pcaps back from another system, or the snort system itself to try and force snort to trigger against the PCAP.
>> 
>> Tip: If you want snort to trigger against PCAPs, make sure you use -k none or disable checksumming in snort.conf.
>> 
>> 2) Waldo Kitty is probably thinking of scapy. Scapy is a packet crafting tool that can be used to modify and create packets of various types. more info at http://www.secdev.org/projects/scapy/
>> 
>> as far as I remember, scapy is included in backtrack.
>> 
>> 3) There is another tool called udpflood that can be used to well, flood your network with UDP traffic, but what's interesting about this program is that you can specify a payload as well:
>> 
>> http://www.mcafee.com/us/downloads/free-tools/udpflood.aspx
>> 
>> 4) Lastly, there's the overkill approach: build your own virtual network and use NMAP/Metasploit/Armitage/W3AF and launch exploits against other virtual machines -- this is how I do my testing. If there's enough interest in this, I may do a write-up on how I configure my virtual lab for testing signatures. It's nothing fancy, but if the snort community thinks it would be beneficial, I would happily contribute it.
>> 
>> Hope this helps you
>> 
>> -Tony/da667
>> 
>> On Fri, Aug 24, 2012 at 2:26 AM, Pratik Narang <pratik.cse.bits at ...13704......> wrote:
>> Dear Snort users,
>> 
>> A good deal of Snort rules do a 'content' check.
>> Can I use some utility so that I may be able to craft or tamper
>> packets just to suit them to trigger Snort rules of my choice?
>> Essentially, I guess, I am asking if I can create sample pcaps or
>> modify actual pcap captures which will trigger certain rules.
>> 
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>> 
>> 
>> 
>> -- 
>> when does reality end? when does fantasy begin?
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and 
>> threat landscape has changed and how IT managers can respond. Discussions 
>> will include endpoint security, mobile security and the latest in malware 
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!





More information about the Snort-users mailing list