i m trying to test IDS systems on evasion. I have picked up Snort IDS. I have crafted few fragmented packet scenario, and i m sending those fragmented packet to destination address. All these crafted scenarios break RFC rules in some way. So i m trying to get frag3 preprocessor module running to trigger alerts. But I m stucked.
When i define my own rules in local.rules and send those packets, i can see the alert trigered by Snort IDS. The problem is those rules are only set up to test, if the Snort does work.
Real matter is to trigger frag3 alert to see IDS rule bahaviour. But i dont really know how to configure it, or how to get those alerts trigger. I m expecting to get atleast these two alerts but, i dont know how.
8 Fragmentation overlap
10 Bogus fragmentation packet. Possible BSD attack
This is my frag3 snort.conf code:
preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine:
Way for preprocessor modules in snort.conf file is:
var PREPROC_RULE_PATH c:\Snort\preproc_rules
Any advice? Thanks for your time.
M.G.
