Re2Pcap consumes a small number of resources — the docker image is less than 90MB, reduces Snort rule development processing time and there’s no complex setup.
Let's consider you want to create a Snort rule to protect your customers from bugs like this Sierra Wireless AirLink ES450 ACEManager iplogging.cgi command injection vulnerability.
There are two different ways to create a PCAP file and test your rule:
Get the vulnerable product and run the exploit code while capturing the trafficRun a dummy server, then the exploit code while capturing the traffic
But these methods require a lot of time and resources. Re2Pcap improves the productivity of Snort rule development.
Let's see how Re2Pcap can help us create a PCAP file for a vulnerability like the Sierra Wireless one we just mentioned. Talos’ advisory lists a raw HTTP POST request that is used to exploit this vulnerability, which we’ll put below:
POST /admin/tools/iplogging.cgi HTTP/1.1
Host: 192.168.13.31:9191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.13.31:9191/admin/tools/iplogging.html
Support the originator by clicking the read the rest link below.
