Malware Forge

As many people have been reading the following research:

http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three...

I decided to use scapy and snort with my current work to test this theory against a very basic rule.

Here is the real handshake script and pcap:
Real.py
real.pcap

Here is the fake handshake script and pcap:
fake.py
fake.pcap

I used the following rule:

alert any any -> any any (msg:"GET Request"; content:"GET"; http_method; sid:2000000; rev:1;)

Here are my results:

famousjs@youbantoo:~/scapy$ sudo snort -c /etc/snort/snort.conf -A console -q -K none -r real.pcap
11/18-01:21:50.511504 [**] [1:40000008:1] GET Request [**] [Priority: 0] {TCP} 192.168.0.89:9012 -> 72.167.232.144:80
famousjs@youbantoo:~/scapy$

famousjs@youbantoo:~/scapy$ sudo snort -c /etc/snort/snort.conf -A console -q -K none -r fake.pcap
famousjs@youbantoo:~/scapy$

As you can see, only the real handshake alerted through snort.