Snort mailing list archives

Re: how to test snort rules?

From: "Fraser, Hugh" <hugh.fraser () arcelormittal com>
Date: Tue, 8 Feb 2011 12:12:56 -0500

There's also a project, still in development, called Rule2Alert that
imports snort rules and uses Scapy to generate the corresponding traffic
to trigger the rules. It's at www.malforge.com.

________________________________

From: Matt Olney [mailto:molney () sourcefire com] 
Sent: Tuesday, February 08, 2011 10:54 AM
To: Kevin Ross
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] how to test snort rules?


For example, https://www.openpacket.org/capture/grab/40 (ms06-040)
should fire sid:7209: 

kpyke@vrt-dev-01:~/mal_pack$ stest -Kqn ms06_04.pcap
Alerts (2.9.0, ms06_04.pcap)
1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize
overflow attempt     Alerts: 2


On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 () googlemail com>
wrote:


        You could also look at openpacket.org and set snort to read the
packet in (make sure you haven't set your $HOME_NET variable and to test
it so it will fire on any IP though in practice you should have your
$HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything
else non-internal). I would also advise using the emergingthreats snort
rules (google them) for some free rules which cover a lot of malware,
command and control, known hostile IP address, exploits, scanners and so
on. You could also look on sites like exploit-db.com for vulnerabilities
which are covered to test them from another system.
        
        Regards, Kevin 
        
        
        On 8 February 2011 09:29, anvin igcar <avigcar () gmail com> wrote:
        

                Dear members
                  I am new in snort and I installed it on my Fedora 12
system. SNORT is running properly and I am using BASE to view snort
alerts. I want to know how to test snort rules , I want to test my
running snort before deploying it. 
                Is there any software which would do this?
                
                Thanks
                
                
                
        
------------------------------------------------------------------------
------
                The ultimate all-in-one performance toolkit: Intel(R)
Parallel Studio XE:
                Pinpoint memory and threading errors before they happen.
                Find and fix more than 250 security defects in the
development cycle.
                Locate bottlenecks in serial and parallel code that
limit performance.
                http://p.sf.net/sfu/intel-dev2devfeb
                _______________________________________________
                Snort-users mailing list
                Snort-users () lists sourceforge net
                Go to this URL to change user options or unsubscribe:
                https://lists.sourceforge.net/lists/listinfo/snort-users
                Snort-users list archive:
                http://www.geocrawler.com/redir-sf.php3?list=snort-users
                



        
------------------------------------------------------------------------
------
        The ultimate all-in-one performance toolkit: Intel(R) Parallel
Studio XE:
        Pinpoint memory and threading errors before they happen.
        Find and fix more than 250 security defects in the development
cycle.
        Locate bottlenecks in serial and parallel code that limit
performance.
        http://p.sf.net/sfu/intel-dev2devfeb
        _______________________________________________
        Snort-users mailing list
        Snort-users () lists sourceforge net
        Go to this URL to change user options or unsubscribe:
        https://lists.sourceforge.net/lists/listinfo/snort-users
        Snort-users list archive:
        http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

how to test snort rules? anvin igcar (Feb 08)
- Re: how to test snort rules? Ray Caparros (Feb 08)
- Re: how to test snort rules? phillip () bailey st (Feb 08)
- Re: how to test snort rules? Kevin Ross (Feb 08)
  - Re: how to test snort rules? Matt Olney (Feb 08)
    - Re: how to test snort rules? Fraser, Hugh (Feb 09)
    - Re: how to test snort rules? Matt Olney (Feb 08)
    - Re: how to test snort rules? anvin igcar (Feb 08)
    - Re: how to test snort rules? Matthew Jonkman (Feb 09)
    - Re: how to test snort rules? Matt Olney (Feb 09)
    - Re: how to test snort rules? Matthew Jonkman (Feb 09)
    - Re: how to test snort rules? waldo kitty (Feb 09)