pythonapachescapysnortweb-application-firewall

Creating TCP packets properly in Python

I need to analyze an Apache log with Snort and others IDS/WAFs (Suricata, mod_security and Shadow Daemon). In order to do so, I was thinking about create TCP packets with the GET and POST requests stored in the Apache log with Scapy in Python. Something like this:

packet= IP(dst=dst_ip)/TCP(dport=9999)/Raw(load=payload) #payload contains the http request

I store this TCP packets into a PCAP file to later, analyze it with Snort or the another IDS/WAFs I said.

The problem with this method of building packets is that there is no state in the communication and Snort detects it with this alert:

[**] [129:2:1] Data on SYN packet [**]
[Classification: Generic Protocol Command Decode] [Priority: 3] 
09/01-20:29:50.816860 127.0.0.1:20 -> 127.0.0.1:9999
TCP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:102
******S* Seq: 0x0  Ack: 0x0  Win: 0x2000  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/34429][Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-1157]

Then, I adapted the code to add a sequence and ack number:

ip = IP(src=src_ip, dst=dst_ip)
packet = (ip / TCP(sport=src_port, dport=dest_port, flags='PA',
      seq=seq_n, ack=ack_n) / Raw(load=fullrequest[0])

seq_n = seq_n + len(payload.encode('UTF8'))

In this way, there is a sequence but the Data on SYN packet alert changes for another (although instead of leaving as many alerts as the same number of packages, only 22% of the packets throw an alert):

[**] [129:12:1] Consecutive TCP small segments exceeding threshold [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
09/01-20:49:15.037299 127.0.0.1:60664 -> 127.0.0.1:80
TCP TTL:64 TOS:0x0 ID:1 IpLen:20 DgmLen:94
***AP*** Seq: 0x156E7  Ack: 0xB  Win: 0x2000  TcpLen: 20

In the end, I chose to create a client-server structure with sockets (sending the payload from one virtual machine to another), analyze the traffic with WireShark and then save the packages as PCAP. The problem here is that Snort does not detect a single attack. In addition, I can not automate this analysis operation.

Attacks example:

"GET /shoutbox.php?conf=../../../../../../../../etc/passwd HTTP/1.1"
"GET /cgi-bin/apexec.pl?etype=odp&template=../../../../../../../../../../etc/hosts%00.html&passurl=/category/ HTTP/1.1"

What can I be doing wrong? Any hint?

Solution

  • Answered here:

    https://security.stackexchange.com/questions/193036/analyzing-apache-log-with-snort

    Basically, instead of crafting my own packets, it is better to use the requests library and send the requests directly.