I am trying to create a lab environment where I can analyze common IDS solutions (starting with Snort specifically) and their ability to reassemble fragmented IP trains. I have a collection of malicious pcaps, which when ran with tcpreplay, create events and fire alerts, as expected. I am trying to find a way to fragment all IP packets in my pcaps to test the frag3 preprocessor in Snort. This way, I can determine which reassembly engine Snort is using and test things like exploits and shellcode and Snort's ability to reassemble properly. So far I have tried using fragroute, but I only seem to be fragmenting layer 2. I have tried using the fragroute engine with tcpreplay but cannot get the engine to compile with tcpreplay. My initial idea was to use Scapy to loop through IP packets and fragment them that way but I am stuck. Thanks
Aucun commentaire:
Enregistrer un commentaire