Malware Forge

I recently have been playing around with Scapy as seen in my DNS Spoof script.

If you are learning how to write snort signatures, and have a brief understanding about the layers of a packet, then Scapy is great to start with. For a simple example, if you want to test a content rule with snort looking for the string "Hello", you can create the packet in a Scapy python script like so:

payload = "Hello"
p = Ether()/IP(dst="127.0.0.1")/TCP(sport=581, dport=5959)/payload
wrpcap("mycapture.pcap", p)

The snort signature for that might look like:

alert tcp any any -> any any (msg:"Hello Traffic Detected"; content:"Hello"; nocase; sid:100000000; rev:1;)

You can then easily capture packets on the interface and run snort against the pcap.

snort -c myrules -q -A console -K none -r mycapture.pcap