Snort mailing list archives
Re: Generating packets from Snort 3 rules
From: Alex Tatistcheff via Snort-sigs <snort-sigs () lists snort org>
Date: Sat, 16 Jul 2022 07:45:45 -0600
The short answer is no - no tool is public for this. But the premise of crafting special packets to test rules is also false. Ancient tools like Stick or Snot were designed to generate traffic based on a Snort rule set. The primary purpose, I believe, was to blind the IPS by flooding it with alerts. Keywords like flow were added to prevent these single packet tools from alerting. The best way to test a Snort rule is to send an actual attack. This can be done with something like metasploit, captured malicious pcaps, POC code, etc. If all you do is craft a custom packet that will cause the rule to trigger you've proven nothing except that Snort detects what the rule is written to detect. It doesn't tell you whether it will work on a real attack. For many Snort rules you can just use wget to craft a URL that will trigger the rule. That proves nothing although it's a good way to get test events if you're just looking to verify the IPS is inserted into the network properly. But it does nothing to test the rule itself for proper function. Alex Tatistcheff alext () pobox com On Fri, Jul 15, 2022 at 2:31 PM Stephen Reese via Snort-sigs < snort-sigs () lists snort org> wrote:
Is a tool used internally to generate packets to evaluate Snort rules before they are published? If so, might it be available for public use or is this a manual process? I have seen a number of public tools, most of which are research based that evaluate Snort rules and attempt to generate corresponding packets. Most existing tools are dated and focus on a subset of Snort 2 rules. I have begun the process of building a tool to evaluate Snort 3 rules but figure it would not hurt to ask if something already exists? _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 15)
- Re: Generating packets from Snort 3 rules Alex Tatistcheff via Snort-sigs (Jul 16)
- Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 18)
- Re: Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 27)
- Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Jul 26)
- Message not available
- Re: Generating packets from Snort 3 rules Joel Esler via Snort-sigs (Aug 02)
- Re: Generating packets from Snort 3 rules Stephen Reese via Snort-sigs (Jul 27)