Home page logo

snort logo Snort mailing list archives

Re: Triggering a complex snort rule (packet forging)
From: Jamie Riden <jamie.riden () gmail com>
Date: Tue, 2 Apr 2013 13:15:51 +0100

On 2 April 2013 12:13, Asiri Rathnayake <asiri.rathnayake () gmail com> wrote:

Dear All,

This may be a bit naive question but I couldn't find a definitive answer
on the web.

Let's say we have a rule of the following form:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...";
flow:to_client,established; content:"..."; nocase; http_header;
metadata:service http; classtype:attempted-user; ...)

This rule will only be triggered on the return traffic from some server
(?). If I understand correctly, this means the client (a computer on the
HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is
looking into the response from the server.

My question is, how can such a rule be tested? (I need to trigger the rule

Wouldn't the easiest way be to set up a page on a remote webserver which
matches the signature (content:"") ? Then you could hit download as much as
you like, and you should get an alert.

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]