IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SNORT Testing

From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 2 Mar 2006 09:51:31 +0100
Hi,

On Tue, Feb 28, 2006 at 01:37:49PM -0500, Richard Bejtlich wrote:

On 2/27/06, Byron Sonne <blsonne () rogers com> wrote:

The tools that come to mind for me are 'stick' and 'snot':
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0096.html



Hello,

Stick, Snot, and all other stateless tools are a waste of time, and
have been since mid-2001.


why?

1. You can still test if stream4 (established) TCP works.
2. You can disable stream4 and see how snort behaves on a high
   alert rate. The subject was testing snort. This way you can 
   not test stream4 but what about output plugins? FPG was build
   especially on this focus. How will you know if your output
   plugin does work with a high alert rate if you do not test
   it?
3. What is with UDP, ICMP or IP? Attacks on these fields are
   still possible without an "established" state (whatever this
   might be with these protocols).

So I won't say these toolls are a waste of time, it depends
highly on what you like to test.

Best regards

Dirk Geschke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: