Re: Snort signature packet generator: Thanks

[Richard Bejtlich <taosecurity () gmail com>]

Graeme Connell wrote: 
> To all who sent me links to programs generating packets from snort 
> signatures: Thanks a bunch. I've got more than enough programs to start 
> myself off with now.

I think Marty was too polite in his defense of Snort's features. 
Snort's TCP inspection capabilities have been immune to "testing" with
Snot, Stick, Sneeze, and now Mucus since the implementation of stream4
three years ago.  I would not waste time using stateless tools like
these to generate TCP traffic of any sort.

This topic seems to surface every 6 months or less, with often the
same suspect programs mentioned. [0]  I would like to see Marty get
credit for work he did in mid-2001 -- forget these stateless tools.

Besides using Nessus or replaying captured traffic, I recommend
generating real exploit traffic against live lab targets using
something like the Metasploit Framework. [1]  As far as open source
goes, you can't beat the Metasploit collection of quality exploits in
a user-friendly package.

Richard
http://www.taosecurity.com

[0] http://www.mcabee.org/lists/snort-users/Jun-04/msg00167.html
[1] http://www.metasploit.com/

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------