Re: SNORT Testing

[Eric Hines <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Byron,

Martin is right. You will want to pick up a "big iron" that does
multi-gig packet generation made by companies such as Xtramsus, Spirent,
and so on.. Although, the price point isn't for the faint of heart..

The tools you mentioned won't really even work with Snort since the
improvements Martin mentioned in its capabilities in maintaining state
- -- which was done quite some time ago in earlier versions of Snort. You
would need to disable the stream4 preprocessor for those tools to even
work since Snort will require a completed three-way handshake.

The reason Martin mentioned the packet generators is to shove gigs of
traffic through your Snort sensor while also popping some attacks
through it to test the accuracy of Snort and whether any attacks went
through undetected. You may also want to check out a tool called
IDSInformer. This tool relies on a dual-nic system which allows it to
complete the three-way handshake before launching the attack. Although,
it is commercial, but I believe they still offer a trial version.



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC


- ---------------------------------------------

Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines () appliedwatch com

- --------------------------------------------
"Enterprise Open Source Security Management"


Martin Roesch wrote:
> Byron,
>
> This may sound a bit snippy but it's not pointed at you, I'm just 
> frustrated with the tools that are out there. :)
>
> Stick and Snot do *not* test Snort, they haven't tested Snort in any 
> meaningful way for years, and they only "tested" Snort in their 
> original form for a few months in 2001 while I made things more 
> stateful.  If you really want to test Snort for performance you  should
> probably start thinking about investing a few hundred $k in  some gear
> from Spirent or maybe Ixia for load generation and then get  metasploit
> for attack generation.  A properly configured Snort on a  fast enough
> platform will take gigabit switches and high end test  equipment to
> generate enough traffic to simulate anything that will  tax it.
>
> Without the load generation gear all you can do is functional testing 
> of Snort and for that you should probably be looking at metasploit/
> fragrouter/scapy/etc for that sort of thing.
>
> I don't know if FPG is capable of doing anything with rules that use 
> flowbits or relative offsets from previous detections, much less  regex
> rules.  This includes the vast majority of rules that are  developed for
> Snort these days.  Mucus is in the same boat, it was  built for Snort
> version ~1.8.3-6, it will be unsuitable for testing  modern versions of
> Snort if the latest release (from 2003) is any  indication.
>
> Stick/snot/sneeze/fpg/mucus are not suitable ways of testing Snort's 
> "throughput", let's all try to remember that from this point on,  we've
> been saying it for years.  If you want to get a really accurate 
> measurement of how Snort performs, you should be putting it into an 
> operational environment where it's going to be deployed and tune it 
> suitably for that environment and then see what the numbers look  like. 
> That's the absolute best way, doing repeatable network-based  testing is
> the next best way and after that you've got a variety of  non-repeatable
> or irrelevant testing setups that won't show you  anything meaningful
> because they're not repeatable nor are they well  scoped.
>
> What you want to achieve is repeatable functional testing of the  engine
> components at high bandwidth utilization/packet per second  rates.  The
> repeatable high-bandwidth generation costs lots of money,  the
> functional testing tools are largely available for free, although  there
> are a few good commercial tools out there too.
>
>      -Marty
>
>
> On Feb 27, 2006, at 5:54 PM, Byron Sonne wrote:
>
> > > The tools that come to mind for me are 'stick' and 'snot':
> > > http://archives.neohapsis.com/archives/fulldisclosure/ 2004-09/0096.html
> > >
> > > ---------------------------------------------------------------------- --
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it with real-world attacks 
> > > from CORE IMPACT.
> > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
> > > ids_040708 to learn more.
> > > ---------------------------------------------------------------------- --
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org

- ------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
- ------------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFEBxbdbOqF2QHgUK0RAq5AAKCmwQJfJlcu655HBH9a7hOU22du9wCeIikO
9B0QMgA88+CbVgRHpBtl3c8=
=E7vx
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------