Mecha_Infantry
Banned
Hi there, I've created some code in Scapy to create a successful 3WH and then push a segmented keyword (/root/hacked) over 3 packet streams.
I also created these three rules in snort (I know the rule with no flow direction set is pointless, but I needed it to confirm my findings)
1) alert tcp any any -> $HOME_NET any (msg:Testing TCP Flow; flow:to_server, established; content:/root/hacked; nocase; sid:11114
2) alert ip any any -> $HOME_NET any (msg:Testing IP Frag; content:/root/hacked; nocase; sid:11113
But none of them are alerted when I send the packets. Wireshark manages to see the packet streams and when I select Follow TCP Stream, and it displays the content in full.
IP tables has been turned off too I tested with an earlier evasion attempt just using a fragmented packet where it split the keyword into "/roo" and "t/hacked" and Snort detected it. I used exactly the same destination and source ports, same IP source and destination, too.
So I am presuming it's something to do with my snort.conf file. I've left most of the options as default, I just changed the policies to linux, as I am using Backtrack as the Snort IDS
I've also tried on other ports and set the port value to the Stream5 option, and Stream5 is enabled
Can anyone give me any guidance please?
Cheers,
I also created these three rules in snort (I know the rule with no flow direction set is pointless, but I needed it to confirm my findings)
1) alert tcp any any -> $HOME_NET any (msg:Testing TCP Flow; flow:to_server, established; content:/root/hacked; nocase; sid:11114
2) alert ip any any -> $HOME_NET any (msg:Testing IP Frag; content:/root/hacked; nocase; sid:11113
But none of them are alerted when I send the packets. Wireshark manages to see the packet streams and when I select Follow TCP Stream, and it displays the content in full.
IP tables has been turned off too I tested with an earlier evasion attempt just using a fragmented packet where it split the keyword into "/roo" and "t/hacked" and Snort detected it. I used exactly the same destination and source ports, same IP source and destination, too.
So I am presuming it's something to do with my snort.conf file. I've left most of the options as default, I just changed the policies to linux, as I am using Backtrack as the Snort IDS
I've also tried on other ports and set the port value to the Stream5 option, and Stream5 is enabled
Can anyone give me any guidance please?
Cheers,