IDS mailing list archives
Re: SNORT Testing
From: Eric Hines <eric.hines () appliedwatch com>
Date: Thu, 02 Mar 2006 10:01:34 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Byron, Martin is right. You will want to pick up a "big iron" that does multi-gig packet generation made by companies such as Xtramsus, Spirent, and so on.. Although, the price point isn't for the faint of heart.. The tools you mentioned won't really even work with Snort since the improvements Martin mentioned in its capabilities in maintaining state - -- which was done quite some time ago in earlier versions of Snort. You would need to disable the stream4 preprocessor for those tools to even work since Snort will require a completed three-way handshake. The reason Martin mentioned the packet generators is to shove gigs of traffic through your Snort sensor while also popping some attacks through it to test the accuracy of Snort and whether any attacks went through undetected. You may also want to check out a tool called IDSInformer. This tool relies on a dual-nic system which allows it to complete the three-way handshake before launching the attack. Although, it is commercial, but I believe they still offer a trial version. Best Regards, Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC - --------------------------------------------- Eric Hines, GCIA, CISSP CEO, President Applied Watch Technologies, LLC 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Toll Free: (877) 262-7593 ext:327 Direct: (847) 854-2725 ext:327 Fax: (847) 854-5106 Web: http://www.appliedwatch.com Email: eric.hines () appliedwatch com - -------------------------------------------- "Enterprise Open Source Security Management" Martin Roesch wrote:
Byron, This may sound a bit snippy but it's not pointed at you, I'm just frustrated with the tools that are out there. :) Stick and Snot do *not* test Snort, they haven't tested Snort in any meaningful way for years, and they only "tested" Snort in their original form for a few months in 2001 while I made things more stateful. If you really want to test Snort for performance you should probably start thinking about investing a few hundred $k in some gear from Spirent or maybe Ixia for load generation and then get metasploit for attack generation. A properly configured Snort on a fast enough platform will take gigabit switches and high end test equipment to generate enough traffic to simulate anything that will tax it. Without the load generation gear all you can do is functional testing of Snort and for that you should probably be looking at metasploit/ fragrouter/scapy/etc for that sort of thing. I don't know if FPG is capable of doing anything with rules that use flowbits or relative offsets from previous detections, much less regex rules. This includes the vast majority of rules that are developed for Snort these days. Mucus is in the same boat, it was built for Snort version ~1.8.3-6, it will be unsuitable for testing modern versions of Snort if the latest release (from 2003) is any indication. Stick/snot/sneeze/fpg/mucus are not suitable ways of testing Snort's "throughput", let's all try to remember that from this point on, we've been saying it for years. If you want to get a really accurate measurement of how Snort performs, you should be putting it into an operational environment where it's going to be deployed and tune it suitably for that environment and then see what the numbers look like. That's the absolute best way, doing repeatable network-based testing is the next best way and after that you've got a variety of non-repeatable or irrelevant testing setups that won't show you anything meaningful because they're not repeatable nor are they well scoped. What you want to achieve is repeatable functional testing of the engine components at high bandwidth utilization/packet per second rates. The repeatable high-bandwidth generation costs lots of money, the functional testing tools are largely available for free, although there are a few good commercial tools out there too. -Marty On Feb 27, 2006, at 5:54 PM, Byron Sonne wrote:The tools that come to mind for me are 'stick' and 'snot': http://archives.neohapsis.com/archives/fulldisclosure/ 2004-09/0096.html ---------------------------------------------------------------------- -- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- ids_040708 to learn more. ---------------------------------------------------------------------- ---- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. - ------------------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFEBxbdbOqF2QHgUK0RAq5AAKCmwQJfJlcu655HBH9a7hOU22du9wCeIikO 9B0QMgA88+CbVgRHpBtl3c8= =E7vx -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: SNORT Testing Martin Roesch (Mar 01)
- Re: SNORT Testing Eric Hines (Mar 03)
- <Possible follow-ups>
- Re: SNORT Testing Richard Bejtlich (Mar 01)
- Re: SNORT Testing Dirk Geschke (Mar 03)
- Re: SNORT Testing Aaron Turner (Mar 02)
- Re: SNORT Testing Byron Sonne (Mar 02)
- RE: SNORT Testing Terry Vernon (Mar 03)
- Re: SNORT Testing Stefano Zanero (Mar 09)
- RE: SNORT Testing Terry Vernon (Mar 03)