I have a python code on Linux to create a raw packet:
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_TCP)
s.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
ip_header = b'x45x00x00x28'
ip_header += b'xabxcdx00x00'
ip_header += b'x40x06xa6xec'
ip_header += b'x0ax0ax0ax02'
ip_header += b'x0ax0ax0ax01'
tcp_header = b'x13x97x00x50'
tcp_header += b'x00x00x00x00'
tcp_header += b'x00x00x00x00'
tcp_header += b'x50x02x71x10'
tcp_header += b'xe6x32x00x00'
tcp_header += b'GGG' # Data
packet = ip_header + tcp_header
s.sendto(packet, ('10.10.10.1', 1))
When I run Snort without any rule sudo snort it captures created packet with the code mentioned above.
Commencing packet processing (pid=11114)
12/30-16:01:53.900763 10.10.10.2:5015 -> 10.10.10.1:80
TCP TTL:64 TOS:0x0 ID:43981 IpLen:20 DgmLen:43
******S* Seq: 0x0 Ack: 0x0 Win: 0x7110 TcpLen: 20
but Snort does not capture anything when I run this command:
sudo snort -c local.rules -A console
My local.rules contains this rule:
alert tcp any any -> any any (msg:"TCP CAPTURED"; sid:1000001;)
This rule captures all tcp packets successfully, and alert with massage TCP CAPTURED but does not capture the packet created by the above code.
