The pcap is very strange. For the TCP “session” that packet 193 is supposed to be part of, we see that both request and the response have the same src_ip and dest_ip. So its like the client sent a request to the server and then also sent the response to the server, while the server didn’t respond. How did you generate the pcap?
I sent it using a Scapy script which replaces ALL the packets source address with my sending device’s source address and likewise for the destination address for the receiving device.
I don’t completely understand, but I can see that the pcap is invalid. In the real traffic you’re sending, do the SYN and SYN/ACK have the same src ip? Do they have the same dst ip? If so I think your script needs some work to create a proper TCP and HTTP session.
Will try again with an updated script, but could you go into more detail about how, in it’s current form, the TCP/HTTP is broken. I would like to know more.
In the original you can see there is a client IP and a server IP and they talk back and forth. This is normal TCP/HTTP.
The script you use rewrites it to have just the (new) client IP talk to the (new) server IP. So there is no conversation anymore. The client IP now also pretends to be the server when it replies to its own request which it also sends to the new server IP.
from scapy.all import *
from scapy.utils import rdpcap
#This code reads packet data from the pcap file supplied, and then edits the packets.
pkts = rdpcap("havex.pcap")
ORIGINAL_VICTiM_ADDRESS= "10.0.2.15"
ORIGINAL_ATTACKER_ADDRESS= "68.183.138.51"
for pkt in pkts:
#If user is victim
if pkt[IP].src == ORIGINAL_ATTACKER_ADDRESS:
pkt[Ether].src = "00:E0:4C:00:02:42"
pkt[Ether].dst = "00:E0:4C:01:08:99"
pkt[IP].src = "169.254.162.71"
pkt[IP].dst = "169.254.208.208"
#If user is attacker
if pkt[IP].src == ORIGINAL_VICTiM_ADDRESS:
pkt[Ether].src = "00:E0:4C:01:08:99"
pkt[Ether].dst = "00:E0:4C:00:02:42"
pkt[IP].src = "169.254.208.208"
pkt[IP].dst = "169.254.162.71"
pkt[IP].chksum = None
pkt[IP].payload.chksum = None
print("Sent!")
#wrpcap('dump.pcap', pkt,append=True)
sendp(pkt, iface="Ethernet 4") # sending packet at layer 2
This code produces this pcap file: dump.pcap (269.1 KB)
When suricata read this file, no rule violation occured ("nothing was written to the fast.log) When the files were sent as live packets, no rule violation occured ("nothing was written to the fast.log). I’m confused. I have noticed that not all the packets were changed to the updated IP addresses, but still, I don’t think that would have prevented a rule from triggering. Any help appreciated.