Home page logo
/

snort logo Snort mailing list archives

Re: Triggering a complex snort rule (packet forging)
From: Asiri Rathnayake <asiri.rathnayake () gmail com>
Date: Tue, 2 Apr 2013 22:47:50 +0100

Hi Nathan,


On Tue, Apr 2, 2013 at 2:11 PM, lists () packetmail net
<lists () packetmail net>wrote:

On 04/02/2013 06:13 AM, Asiri Rathnayake wrote:

I was wondering if it's possible to forge packets with Scapy [1] and
throw them
at HOME_NET in such a way that would make Snort believe that those
packets
correspond to the signature in the rule above. Would Snort fall into
such forged
traffic?

I believe the issue in using Scapy is that you're trying to forge an HTTP
Response header/body but at the same time the example signature you've
provided
is using flow:to_client,established.  I'm not sure if, with regard to
Scapy,
you're going to be forging a PSH packet alone.  Honestly, I'm not quite
sure how
you would use Scapy in this scenario successfully since the client machine
is
expecting to be the one establishing the connection and expecting a PSH
(reasonable expectation, I know RST, and lack of 3-way).


It took me some time to digest some of the things you mentioned but I think
you are correct.

While I might be able to forge packets with Scapy, it looks like I'll have
a hard time escaping the Stream5 TCP re-assembly module. After reading
[1,2,3] and several other articles on the web, I've come to conclude that I
cannot simply "throw packets from outside" matching the rule signature I
mentioned. My guess is Stream5 pre-processor module will detect that there
was no established flow and it will either reject the packet or let it pass
through but not consider it as matching the rule signature (since no
established flow).

I hope this understanding is correct.

Many thanks.

- Asiri

[1] http://blog.snort.org/2011/09/flow-matters.html
[2] http://manual.snort.org/node33.html#SECTION00469000000000000000
[3] http://manual.snort.org/node17.html#stream5_section
------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault