Summary: crafting a packet to test IDS rule with 4-byte payload|47 43 52 47|". I am getting a [RST,ACK] from my Mac outbound. The reasoning could be that OS is not listening on the source port and send RST so I edited ./etc/pf.conf file to block RST from my Mac to 172.217.197.188(google) and it did not work. I am still getting [RST,ACK]. Help!!

Tools:

Source: MacOS Mojave V10.14.3 (host LT)

Destination: Google: 172.217.197.188

Scapy (packet crafting tool)

Vim text editor V 8.0.1283

Wireshark

Code

ip = IP(src="Mac LT X.X.X.X", dst="172.217.197.188")
port=RandNum(1024,65535)
SYN = TCP(sport=port, dport=443, flags="S", seq=100)
SYNACK = sr1(ip/SYN)

my_ack = SYNACK.seq + 1
ACK = TCP(sport=port, dport=443, flags="A", seq=SYNACK.ack + 1, ack=SYNACK.seq + 1)
send(ip/ACK)

payload = "|47 43 52 47|"
PUSH = TCP(sport=port, dport=443, flags="PA", seq=ACK.ack + 1, ack=ACK.seq + 1) 
send(ip/PUSH/payload)  

** Wireshark Output**

Wireshark Output

I am getting [RST/ACK] then [PSH, ACK] in Wireshark output. The reasoning could be that OS is not listening on the source port and send RST so I edited ./etc/pf.conf file to block RST from my Mac to 172.217.197.188(google).

PF.conf rule to block RST/ACK from Mac OS on Wireshark

block drop proto tcp from X.X.X.X to 172.217.197.188 flags R/R (Rule added)

sudo pfctl -f /etc/pf.conf (loads the file)
sudo pfctl -e (enable the packet filtering)
:wq           (exit with saving)