Re: Triggering a complex snort rule (packet forging)

[Jamie Riden <jamie.riden () gmail com>]

You could look at grabbing a real packet and using tcpreplay maybe?


On 2 April 2013 13:28, Asiri Rathnayake <asiri.rathnayake () gmail com> wrote:

> Hi Jamie,
>
> Thank you for the quick response!
>
> Wouldn't the easiest way be to set up a page on a remote webserver which
> > matches the signature (content:"") ? Then you could hit download as much as
> > you like, and you should get an alert.
>
> For testing the rule repeatedly, yes, this would work.
>
> However, this involves the client (hitting download). What I'm interested
> in is if I could simply send packets from outside and trigger the rule
> (without having the client to do anything). This is why I was looking into
> packet forging, sort of like trying to emulate return traffic from the
> server (matching the signature of the rule).
>
> May be I should've been more specific, sorry about that. I need to trigger
> the rule from the outside, without depending on the client.
>
> Many thanks.
>
> - Asiri
>
>
> > thanks,
> >  Jamie
> > --
> > Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
> > http://uk.linkedin.com/in/jamieriden


-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete 
for recognition, cash, and the chance to get your game on Steam. 
$5K grand prize plus 10 genre and skill prizes. Submit your demo 
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!