I need a wee bit of help here. I have 3 virtual machines on a virtual network. There is nothing else on this network. vm1 is a DHCP server to give out IP addresses. vm2 has snort installed on it. vm3 just exists to do stuff to the other two. It is my understanding that snort listens to all traffic on the interface.
VM1(DHCP) <-> VM2(Snort) <-> VM3(Stuff)
Here's the rule I am trying to trigger:
SID 30225
alert tcp any any -> any any (msg:"INDICATOR-SHELLCODE possible /bin/sh shellcode transfer attempt"; flow:established; content:"Rh//shh/bin"; fast_pattern:only; metadata:policy max-detect-ips drop; reference:url,www.metasploit.com/learn-more/how-do-i-use-it/documentation.jsp; classtype:shellcode-detect; sid:30225; rev:2;) What I have set up is netcat on vm1 and vm3 with nc -l 999 on one side and nc 172.30.0.1 999 on the other. They connect fine and I can send text back and forth. Wireshark picks it up no problem. When I use scapy to send a TCP packet to vm1 with the content (Rh//shh/bin) from vm3 I don't get an alert. Any insight would be helpful. Thanks.
Here's my python code.
#!/usr/local/bin/python from scapy.all import * # VARIABLES src = sys.argv[1] dst = sys.argv[2] sport = random.randint(1024,65535) dport = int(sys.argv[3]) # SYN ip=IP(src=src,dst=dst) SYN=TCP(sport=sport,dport=dport,flags='S',seq=1000) SYNACK=sr1(ip/SYN) # ACK payload = "Rh//shh/bin" ACK=TCP(sport=sport, dport=dport, flags='A', seq=SYNACK.ack, ack=SYNACK.seq + 1) send(ip/ACK/payload) 
No comments:
Post a Comment