Re: how to test snort rules?

[waldo kitty <wkitty42 () windstream net>]

On 2/8/2011 12:12, Fraser, Hugh wrote:
> There's also a project, still in development, called Rule2Alert that imports
> snort rules and uses Scapy to generate the corresponding traffic to trigger the
> rules. It's at www.malforge.com <http://www.malforge.com>.

i've used rule2alert and it does do exactly what it says it does... however, 
what it does not do, at least at the time of my testing, is to create a pcap 
that is "larger" than the rule's requirements for testing...

in other words, it creates exactly what the rule is looking for and nothing 
more... in my case, i needed additional pcaps that carried traffic "larger" than 
the specifics but that still contained the specifics... if that makes any sense 
at all...

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users