Snort mailing list archives
Re: false positive generator
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 11 Feb 2004 15:01:07 +0100
Hi Bob,
Don't get me wrong, I am all for these stateless attack tools - they serve their purpose. I just thought that if you were trying to populate a database with "real" attacks they might not be the best way to do it - I misunderstood your intentions - sorry.
no problem...
If you are looking to verify maximum insert rates, etc, you could still use real exploit traffic, captured with tcpdump and replayed under script control via tcpreplay - probably more controllable than Stick/Snot/Sneeze and no need to invest in fancy tools.
Of course you right, but if I don't have captured attacks? Or is there a place where I can find captured tcpdump files full of alerts? And one other point is: If you just want to test if a new keyword works as designed it could be helpful to build a packet which should trigger an alert. If this alert matches to a real attack is another question... Best regards Dirk ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: false positive generator Bob Walder (Feb 11)
- Re: false positive generator Dirk Geschke (Feb 11)
- <Possible follow-ups>
- RE: false positive generator Bob Walder (Feb 11)
- Re: false positive generator Dirk Geschke (Feb 11)