Snort mailing list archives

Re: Generating packets from Snort 3 rules

From: Alex Tatistcheff via Snort-sigs <snort-sigs () lists snort org>
Date: Sat, 16 Jul 2022 07:45:45 -0600

The short answer is no - no tool is public for this.  But the premise of
crafting special packets to test rules is also false.  Ancient tools like
Stick or Snot were designed to generate traffic based on a Snort rule set.
The primary purpose, I believe, was to blind the IPS by flooding it with
alerts.  Keywords like flow were added to prevent these single packet tools
from alerting.

The best way to test a Snort rule is to send an actual attack.  This can be
done with something like metasploit, captured malicious pcaps, POC code,
etc.  If all you do is craft a custom packet that will cause the rule to
trigger you've proven nothing except that Snort detects what the rule is
written to detect.  It doesn't tell you whether it will work on a real
attack.

For many Snort rules you can just use wget to craft a URL that will trigger
the rule.  That proves nothing although it's a good way to get test events
if you're just looking to verify the IPS is inserted into the network
properly.  But it does nothing to test the rule itself for proper function.


Alex Tatistcheff


alext () pobox com



On Fri, Jul 15, 2022 at 2:31 PM Stephen Reese via Snort-sigs <
snort-sigs () lists snort org> wrote:

Is a tool used internally to generate packets to evaluate Snort rules
before they are published? If so, might it be available for public use or
is this a manual process? I have seen a number of public tools, most of
which are research based that evaluate Snort rules and attempt to generate
corresponding packets. Most existing tools are dated and focus on a subset
of Snort 2 rules. I have begun the process of building a tool to evaluate
Snort 3 rules but figure it would not hurt to ask if something already
exists?
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules:
https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 15)
- Re: Generating packets from Snort 3 rules Alex Tatistcheff via Snort-sigs (Jul 16)
- Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 18)
  - Re: Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 27)
    - Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 26)
    - Message not available
    - Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Aug 02)