Re: false positive generator

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi Bob,

> Don't get me wrong, I am all for these stateless attack tools - they
> serve their purpose. I just thought that if you were trying to populate
> a database with "real" attacks they might not be the best way to do it -
> I misunderstood your intentions - sorry.

no problem...
 
> If you are looking to verify maximum insert rates, etc, you could still
> use real exploit traffic, captured with tcpdump and replayed under
> script control via tcpreplay - probably more controllable than
> Stick/Snot/Sneeze and no need to invest in fancy tools.

Of course you right, but if I don't have captured attacks? Or is
there a place where I can find captured tcpdump files full of alerts?

And one other point is: If you just want to test if a new keyword
works as designed it could be helpful to build a packet which 
should trigger an alert. If this alert matches to a real attack
is another question...

Best regards

Dirk



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users