Snort mailing list archives
RE: Testing techniques
From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Thu, 28 Nov 2002 13:30:21 -0500
Try one of the good PD tools like Nessus to trigger various alerts.
-----Original Message----- From: Faber Fedor [mailto:faber () linuxnj com] Sent: Thursday, November 28, 2002 11:20 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Testing techniques Hi guys! Now that I've got snort working (or maybe I should say that now that I understand my network ;-), a few questions have popped up in my mind. 1. Is there a testing suite for snort? I've been trying to generate alerts by doing my normal activities (surfing the web, downloading pr0n, viewing quicktime movies) but haven't been able to do so. Oh, I can write my own rules to see if I surf to www.whitehouse.com and snort catches me, but how can I know that the other rules are really working? In the anti-virus (AV) world, there is a "sample virus" called eicar that you can send through your AV system to see if it works. Is there something similar for the snort world? 2. What are good techniques for fine-tuning the rules and what programs do you use? While thinking about my upcoming installation, I got to thinking about "How do I know it's (not) catching the right (wrong) things?". The only thing I can think of is to install the snort box in NIDS mode looking for alerts *and* install another box to log every packet (I gather from docs that I can't have one instance of snort do both, right?). Then come back a few days later and slog through the log files looking for problems. I assume there is a better way, yes? -- Regards, Faber Linux New Jersey: Open Source Solutions for New Jersey http://www.linuxnj.com ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Testing techniques Faber Fedor (Nov 28)
- Re: Testing techniques twig les (Nov 28)
- Re: Testing techniques Rafeeq Ur Rehman (Nov 28)
- <Possible follow-ups>
- RE: Testing techniques Fraser Hugh (Nov 28)