Home page logo

snort logo Snort mailing list archives

Re: Triggering a complex snort rule (packet forging)
From: Jamie Riden <jamie.riden () gmail com>
Date: Tue, 2 Apr 2013 13:31:47 +0100

You could look at grabbing a real packet and using tcpreplay maybe?

On 2 April 2013 13:28, Asiri Rathnayake <asiri.rathnayake () gmail com> wrote:

Hi Jamie,

Thank you for the quick response!

Wouldn't the easiest way be to set up a page on a remote webserver which
matches the signature (content:"") ? Then you could hit download as much as
you like, and you should get an alert.

For testing the rule repeatedly, yes, this would work.

However, this involves the client (hitting download). What I'm interested
in is if I could simply send packets from outside and trigger the rule
(without having the client to do anything). This is why I was looking into
packet forging, sort of like trying to emulate return traffic from the
server (matching the signature of the rule).

May be I should've been more specific, sorry about that. I need to trigger
the rule from the outside, without depending on the client.

Many thanks.

- Asiri

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com

Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]