Snort mailing list archives
Re: how to test snort rules?
From: Matt Olney <molney () sourcefire com>
Date: Tue, 8 Feb 2011 15:05:56 -0500
Sort of a fox-hen house issue there, but it should at least test some parts of it. Sort of hard problem, you'll have to mimic DCE/RPC, web traffic, etc...to trigger flowbits and prime the dcerpc preprocessor. I might try to put together some pcaps that test the major functionality of Snort so you can check your configs. /me adds to my extensive todo list Matt On Tue, Feb 8, 2011 at 12:12 PM, Fraser, Hugh <hugh.fraser () arcelormittal com
wrote:
There's also a project, still in development, called Rule2Alert that imports snort rules and uses Scapy to generate the corresponding traffic to trigger the rules. It's at www.malforge.com. ------------------------------ *From:* Matt Olney [mailto:molney () sourcefire com] *Sent:* Tuesday, February 08, 2011 10:54 AM *To:* Kevin Ross *Cc:* snort-users () lists sourceforge net *Subject:* Re: [Snort-users] how to test snort rules? For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should fire sid:7209: kpyke@vrt-dev-01:~/mal_pack$ stest -Kqn ms06_04.pcap Alerts (2.9.0, ms06_04.pcap) 1:7209:10 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt Alerts: 2 On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 () googlemail com>wrote:You could also look at openpacket.org and set snort to read the packet in (make sure you haven't set your $HOME_NET variable and to test it so it will fire on any IP though in practice you should have your $HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I would also advise using the emergingthreats snort rules (google them) for some free rules which cover a lot of malware, command and control, known hostile IP address, exploits, scanners and so on. You could also look on sites like exploit-db.com for vulnerabilities which are covered to test them from another system. Regards, Kevin On 8 February 2011 09:29, anvin igcar <avigcar () gmail com> wrote:Dear members I am new in snort and I installed it on my Fedora 12 system. SNORT is running properly and I am using BASE to view snort alerts. I want to know how to test snort rules , I want to test my running snort before deploying it. Is there any software which would do this? Thanks ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to test snort rules? anvin igcar (Feb 08)
- Re: how to test snort rules? Ray Caparros (Feb 08)
- Re: how to test snort rules? phillip () bailey st (Feb 08)
- Re: how to test snort rules? Kevin Ross (Feb 08)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? Fraser, Hugh (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? anvin igcar (Feb 08)
- Re: how to test snort rules? Matthew Jonkman (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 09)
- Re: how to test snort rules? Matthew Jonkman (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? waldo kitty (Feb 09)