Skip navigation.
Home

Rule2Alert

Rule2Alert's goal, is to read in snort rules and generate packets that would make snort produce an alert. It is written entirely in python and utilizes Scapy to craft the packets. It is still under heavy development with myself, Pablo Rincon, and Will Metcalf.

Currently, it is able to generate pcaps based off simple content snort compatible rules. I loaded in the emerging-all.rules file and was able to create a pcap that alerted snort 514 times. The project is not ready to be released yet, but the results look promising so far. This project is currently under the Open Information Security Foundation, as all of the project members are currently working on the new IDS/IPS system Suricata.

Example:

test.rule
----------
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

famousjs@youbantoo:~/rule2alert$ sudo python r2a.py -vt -c /etc/snort/snort.conf -f rules/test.rule -w test.pcap
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www S
Ether / IP / TCP 1.1.1.1:www > 192.168.0.1:9001 SA
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www A
Ether / IP / TCP 192.168.0.1:9001 > 1.1.1.1:www PA / Raw

-------- Hex Payload Start ----------
56 24 5a 63 20 20 20 20
20 68 65 79
--------- Hex Payload End -----------

Loaded 1 rules successfully!
Writing packets to pcap...
Successfully alerted on all loaded rules