Re: Triggering a complex snort rule (packet forging)

[Jamie Riden <jamie.riden () gmail com>]

On 2 April 2013 12:13, Asiri Rathnayake <asiri.rathnayake () gmail com> wrote:

> Dear All,
>
> This may be a bit naive question but I couldn't find a definitive answer
> on the web.
>
> Let's say we have a rule of the following form:
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"...";
> flow:to_client,established; content:"..."; nocase; http_header;
> metadata:service http; classtype:attempted-user; ...)
>
> This rule will only be triggered on the return traffic from some server
> (?). If I understand correctly, this means the client (a computer on the
> HOME_NET) made a request to some server (EXTERNAL_NET) and this rule is
> looking into the response from the server.
>
> My question is, how can such a rule be tested? (I need to trigger the rule
> repeatedly)
Wouldn't the easiest way be to set up a page on a remote webserver which
matches the signature (content:"") ? Then you could hit download as much as
you like, and you should get an alert.

thanks,
 Jamie
-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!