The rule for testing the NIDS engine:
alert icmp any any -> any any (content:"|64656D6F6E616C6578|"; msg:"Show demonalex"; sid:1000888;)
Launch a test case through Scapy:
>>> a=IP(dst='192.168.172.222')/ICMP()/"demonalex"
>>> send(a)
Tcpdump monitoring the conversation:
root@LinuxTest:/etc/snort/rules# tcpdump -i eth0 -Avv host 192.168.172.222 and icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:28.450743 IP (tos 0x0, ttl 64, id 1, offset 0, flags [none], proto ICMP (1), length 37)
dynamic.dsl.skybest.com > xxxxxxxxxxx.local: ICMP echo request, id 0, seq 0, length 17
E..%....@.\;...........c....demonalex
15:05:28.451176 IP (tos 0x0, ttl 127, id 21335, offset 0, flags [none], proto ICMP (1), length 37)
xxxxxxxxxxx.local > dynamic.dsl.skybest.com: ICMP echo reply, id 0, seq 0, length 17
E..%SW.................c....demonalex.........
Corresponding Snort Log:
root@LinuxTest:~# tail -n 10 -f /var/log/snort/alert
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.880520 192.168.1.189 -> 192.168.172.222
ICMP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:37
Type:8 Code:0 ID:0 Seq:0 ECHO
[**] [1:1000888:0] Show demonalex [**]
[Priority: 0]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
[**] [1:408:5] ICMP Echo Reply [**]
[Classification: Misc activity] [Priority: 3]
12/09-15:23:37.881118 192.168.172.222 -> 192.168.1.189
ICMP TTL:127 TOS:0x0 ID:3121 IpLen:20 DgmLen:37
Type:0 Code:0 ID:0 Seq:0 ECHO REPLY
No comments:
Post a Comment