IDS mailing list archives

RE: Snort signature packet generator

From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Mon, 8 Nov 2004 10:15:35 -0600

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graeme,

Several exist. 

1) Snot
2) Stick

However, a pretty awesome tool that we've been using internally is
IDS Informer from Blade Software (http://www.blade-software.com) This
tool not only sends the attacks out on the wire but also completes a
three-way handshake with the attack simulating a victim host to make
Snort/any IDS think an actual attack is taking place. You can choose
from hundreds if not more, attacks from its attack selector. They'll
give you a 30-day trial if you want to sniff it out. It is definitely
worth a look at! 

http://www.blade-software.com/IDSInformer.htm


Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, Inc.
http://www.appliedwatch.com
Direct: (877) 262-7593 x327
1134 N. Main St.
Algonquin, IL 60102

 

- -----Original Message-----
From: Graeme Connell [mailto:gconnell () middlebury edu] 
Sent: Friday, November 05, 2004 11:29 AM
To: focus-ids () securityfocus com
Subject: Snort signature packet generator

I'm attempting to train a neural network using snort, and I'm having
trouble getting a good number of "bad" packets, IE: those that snort
considers malicious.  Since a snort signature is really just a
definition of a subset of all possible packets, it seems like it
should be possible to create a packet that snort considers bad by
filling in packet fields based on a snort signature, then filling the
rest of the packet with random garbage.  Does anyone know if this
type of program has already been created, and if so, where could I
find it?  Thanks.

                --Graeme Connell

- ----------------------------------------------------------------------
- ----
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
- ----------------------------------------------------------------------
- ----


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQY+bpqG62zuWaFzQEQJcwACeJhLDgCoAfjUBFX5fKvQQ6pgex6cAoKwt
60UxjfFZtsoDDuqUn32FSw14
=PDRb
-----END PGP SIGNATURE-----


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Snort signature packet generator Graeme Connell (Nov 08)
- RE: Snort signature packet generator Eric Hines (Nov 09)
- RE: Snort signature packet generator Jeff Dell (Nov 09)
- Re: Snort signature packet generator Dirk Geschke (Nov 09)
  - RE: Snort signature packet generator Leandro Reox (Nov 12)
- Re: Snort signature packet generator Martin Roesch (Nov 09)
- Re: Snort signature packet generator Stefano Zanero (Nov 14)
- <Possible follow-ups>
- RE: Snort signature packet generator adam.w.hogan (Nov 09)
  - Re: Snort signature packet generator ADT (Nov 12)
- Re: Snort signature packet generator Derek Armstrong (Nov 09)
  - RE: Snort signature packet generator Simon and Lori Chang (Nov 12)