mailing list archives
Re: Triggering a complex snort rule (packet forging)
From: Asiri Rathnayake <asiri.rathnayake () gmail com>
Date: Tue, 2 Apr 2013 12:10:10 +0100
This email was supposed to be sent to the users list. Please ignore this.
On Tue, Apr 2, 2013 at 12:07 PM, Asiri Rathnayake <
asiri.rathnayake () gmail com> wrote:
This may be a bit naive question but I couldn't find a definitive answer
on the web.
Let's say we have a rule of the following form:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...";
flow:to_client,established; content:"..."; nocase; http_header;
metadata:service http; classtype:attempted-user; ...)
This rule will only be triggered on the return traffic from some server
(?). If I understand correctly, this means the client (a computer on the
HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is
looking into the response from the server.
My question is, how can such a rule be tested? (I need to trigger the rule
I was wondering if it's possible to forge packets with Scapy  and throw
them at HOME_NET in such a way that would make Snort believe that those
packets correspond to the signature in the rule above. Would Snort fall
into such forged traffic?
I found  while reading , but it seems rule2alert is in an early
stage of development (it says it can only handle simple rules). If someone
can kindly confirm if the strategy I have highlighted above is viable, then
I will be able to dig deeper into forging packets with Scapy. I thought it
would be wise to ask here first just in case if I'm headed the wrong way
(I'm a bit new to IDP/IDS domain).
Thanks a lot for your time.
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Snort-devel mailing list
Snort-devel () lists sourceforge net
Please visit http://blog.snort.org for the latest news about Snort!
Re: Triggering a complex snort rule (packet forging) lists () packetmail net (Apr 02)