Re: Testing Snort

[Russ Combs <rcombs () sourcefire com>]

You can also do inline pcap testing using the dump DAQ:

    snort --daq dump --daq-var load-mode=read-file -Q <other options>

This will create a file called inline-out.pcap that has the packets that
Snort allowed or injected.  Any normalizations are also visible there.

On Wed, Jan 30, 2013 at 2:21 PM, Justin Knox <jknox () indexzero org> wrote:

> Another possibility would be to use tcpreplay[1] and some captures from
> some of the known repositories [2,3]. If you're trying to prove out snort
> inline in this manner, you might need to spend some time making sure you've
> got your lab bench laid out as needed so you can do this though.
>
> If you can, you might want to also try snagging a capture of the traffic
> you're looking to monitor and/or control and use tcpreplay on your bench to
> prove out background noise, and maybe even look into tuning your ruleset
> prior to deployment.
>
> [1] http://tcpreplay.synfin.net/
> [2] https://www.evilfingers.com/repository/pcaps.php
> [3] http://pcapr.net/home
>
>
> On Wed, Jan 30, 2013 at 12:44 PM, Jeremy Hoel <jthoel () gmail com> wrote:
>
> > Then you best bet is to through a scan or known bad traffic at a
> > target.. so it cross the wire and you can see it as expected.  There's
> > lots of different tools to do that.
> >
> > Or, write a custom rule looking for a payload and use hping to send
> > that payload.  Then you've verified that your local rules are working
> > and that it sees traffic on the wire from one host to another.
> >
> > On Wed, Jan 30, 2013 at 5:28 PM, Josh Bitto <jbitto () onlineschool ca>
> > wrote:
> > > Well I have snort running on a test lab to see how well it actually
> > runs. I figured out my problem that I had in pfsense. I had to bridge my
> > WAN and LAN together for snort to actually start. That being said I can see
> > alerts and that all works. Now my real work is to be started and test to
> > make sure that snort runs ok with our network. So I want to similate bad
> > traffic so I can so my boss and say hey this works let's use it...
> > > -----Original Message-----
> > > From: Jeremy Hoel [mailto:jthoel () gmail com]
> > > Sent: Wednesday, January 30, 2013 9:25 AM
> > > To: Josh Bitto
> > > Cc: Snort Users
> > > Subject: Re: [Snort-users] Testing Snort
> > >
> > > If you want to see if it alerts on packets in general, you can load
> > PCAPs from a number of sources and read them through to see if the rules
> > fire.  If you want to see that it's seeing network traffic and alerting,
> > you can make a local rule for something and then send that traffic and see
> > if that fires.
> > > Otherwise, what are you trying to test?
> > >
> > > On Wed, Jan 30, 2013 at 5:17 PM, Josh Bitto <jbitto () onlineschool ca>
> > wrote:
> > > > Does anyone know of a good tool to use to test my IPS? I know of
> > > > Metasploit...but I'm not sure if there is something that is better or
> > > > something broader in spectrum to test.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > ----------------------------------------------------------------------
> > > > -------- Everyone hates slow websites. So do we.
> > > > Make your web apps faster with AppDynamics Download AppDynamics Lite
> > > > for free today:
> > > > http://p.sf.net/sfu/appdyn_d2d_jan
> > > > _______________________________________________
> > > > Snort-users mailing list
> > > > Snort-users () lists sourceforge net
> > > > Go to this URL to change user options or unsubscribe:
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > > Snort-users list archive:
> > > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the latest
> > > > Snort news!
> > ------------------------------------------------------------------------------
> > > Everyone hates slow websites. So do we.
> > > Make your web apps faster with AppDynamics
> > > Download AppDynamics Lite for free today:
> > > http://p.sf.net/sfu/appdyn_d2d_jan
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users () lists sourceforge net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> >
> > ------------------------------------------------------------------------------
> > Everyone hates slow websites. So do we.
> > Make your web apps faster with AppDynamics
> > Download AppDynamics Lite for free today:
> > http://p.sf.net/sfu/appdyn_d2d_jan
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!