Snort mailing list archives
Re: how to test snort rules?
From: Matthew Jonkman <jonkman () emergingthreatspro com>
Date: Wed, 9 Feb 2011 13:17:38 -0500
It's not FP testing if that's what you're thinking. :) It's for engine testing and load testing primarily. Testing keywords, preprocessors, reassembly, etc. Not the only tool, but a very useful one! Matt On Feb 9, 2011, at 1:15 PM, Matt Olney wrote:
What do you use it for? Its a completely invalid functional test, since you're mimicking the rule. What is the purpose? On Wed, Feb 9, 2011 at 1:11 PM, Matthew Jonkman <jonkman () emergingthreatspro com> wrote: I highly recommend Rule2Alert. Famousjs maintains that, a former ET and OISF employee. Great project! We use it heavily. Matt On Feb 8, 2011, at 12:12 PM, Fraser, Hugh wrote:There's also a project, still in development, called Rule2Alert that imports snort rules and uses Scapy to generate the corresponding traffic to trigger the rules. It's at www.malforge.com. From: Matt Olney [mailto:molney () sourcefire com] Sent: Tuesday, February 08, 2011 10:54 AM To: Kevin Ross Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] how to test snort rules? For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should fire sid:7209: kpyke@vrt-dev-01:~/mal_pack$ stest -Kqn ms06_04.pcap Alerts (2.9.0, ms06_04.pcap) 1:7209:10 NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt Alerts: 2 On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 () googlemail com> wrote: You could also look at openpacket.org and set snort to read the packet in (make sure you haven't set your $HOME_NET variable and to test it so it will fire on any IP though in practice you should have your $HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I would also advise using the emergingthreats snort rules (google them) for some free rules which cover a lot of malware, command and control, known hostile IP address, exploits, scanners and so on. You could also look on sites like exploit-db.com for vulnerabilities which are covered to test them from another system. Regards, Kevin On 8 February 2011 09:29, anvin igcar <avigcar () gmail com> wrote: Dear members I am new in snort and I installed it on my Fedora 12 system. SNORT is running properly and I am using BASE to view snort alerts. I want to know how to test snort rules , I want to test my running snort before deploying it. Is there any software which would do this? Thanks ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
---------------------------------------------------- Matthew Jonkman Emergingthreats.net Emerging Threats Pro Open Information Security Foundation (OISF) Phone 765-807-8630 Fax 312-264-0205 http://www.emergingthreatspro.com http://www.openinfosecfoundation.org ---------------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to test snort rules? anvin igcar (Feb 08)
- Re: how to test snort rules? Ray Caparros (Feb 08)
- Re: how to test snort rules? phillip () bailey st (Feb 08)
- Re: how to test snort rules? Kevin Ross (Feb 08)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? Fraser, Hugh (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? anvin igcar (Feb 08)
- Re: how to test snort rules? Matthew Jonkman (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 09)
- Re: how to test snort rules? Matthew Jonkman (Feb 09)
- Re: how to test snort rules? Matt Olney (Feb 08)
- Re: how to test snort rules? waldo kitty (Feb 09)