Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Testing techniques

From: Fraser Hugh <hugh_fraser () dofasco ca>
Date: Thu, 28 Nov 2002 13:30:21 -0500
Try one of the good PD tools like Nessus to trigger various alerts.


-----Original Message-----
From: Faber Fedor [mailto:faber () linuxnj com]
Sent: Thursday, November 28, 2002 11:20 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Testing techniques


Hi guys!

Now that I've got snort working (or maybe I should say that now that I
understand my network ;-), a few questions have popped up in my mind.

1. Is there a testing suite for snort?  

I've been trying to generate alerts by doing my normal activities
(surfing the web, downloading pr0n, viewing quicktime movies) but
haven't been able to do so.  Oh, I can write my own rules to see if I
surf to www.whitehouse.com and snort catches me, but how can 
I know that
the other rules are really working?

In the anti-virus (AV) world, there is a "sample virus" 
called eicar that you
can send through your AV system to see if it works.  Is there 
something
similar for the snort world?

2. What are good techniques for fine-tuning the rules and 
what programs
do you use?

While thinking about my upcoming installation, I got to thinking about
"How do I know it's (not) catching the right (wrong) things?".  

The only thing I can think of is to install the snort box in NIDS mode
looking for alerts *and* install another box to log every packet (I
gather from docs that I can't have one instance of snort do both,
right?).  Then come back a few days later and slog through 
the log files
looking for problems.

I assume there is a better way, yes?

-- 
 
Regards,
 
Faber                     

Linux New Jersey: Open Source Solutions for New Jersey
http://www.linuxnj.com





-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: