Snort mailing list archives
RE: Is there a program to test snort rules?
From: "Brian Laing" <Brian.Laing () Blade-Software com>
Date: Mon, 28 Apr 2003 07:55:14 -0700
IT really depends on what you want to test. If you only want to test has the rule been applied and is the rule working the way it was written then Stick works very well for this. However if you want to test whether a rule is WRITTEN correctly then the only way is to use either our companies IDS Informer tool, or run real exploits in front of the IDS. Only these last two methods will test 1. The rule has been applied to the sensor and 2 is the rule written correctly. Information on Informer below beware marketing info past this point :-) IT Security Professionals to date have had no effective and easy way to independently test and verify their Intrusion Detection System (IDS). All companies that have purchased and deployed IDS systems to date have had no way of easily validating that the system is doing what it was purchased to do, i.e. defend and alert against actual attacks. IDS Informer has been designed from the ground up to help security, network and audit teams test and confirm that intrusion detection systems deployed as a key and critical line of defense are working correctly, are running the correct policy, are monitoring the correct network segment, are picking up the latest attacks and are responding in the correct manner. IDS Informer is designed to be able to be used in live production environments and it therefore utilizes a unique method of being able to inject attacks in a completely controlled, safe and repeatable manner. It is the ideal solution for fully testing an intrusion detection system and should be used in the 3 stages of IDS deployment listed below: Vendor Selection It can be used to easily test the differences of the various IDS products out there, looking for things like attack recognition, performance testing to see how the IDS operates under load, testing the management interface to see how "useable" the IDS is in a real world environment. All of the tests are easily repeatable so that you can be sure that each product being tested is looked at under the same conditions. IDS Deployment Before an IDS goes into a live production environment the connections to the management system should be verified, the policy should be extensively tested to ensure that it is configured correctly and in accordance with the organizations security policies, attack signatures need to be finely tuned to reduce overhead of false positives, any user defined responses and actions need to be tested and the IDS set up should be verified to ensure it is monitoring the correct network segments. Live System When the IDS is in production it should be tested after each policy change and update to confirm all functionality is still operational, random fire drill tests should be undertaken to ensure escalation policies are working effectively, repeated testing and simulation needs to be undertaken when investigating events, service level agreements should be tested if the management of the IDS has been outsourced to a 3rd party. If a managed security company is providing the monitoring capabilities generally they will have tight service level agreements to state that when an attack is picked up the customer will be notified within a certain time frame, if the customer is not notified within that timeframe then discounts can be applied to the monthly management fees incurred. By using IDS Informer the customer can run random tests against their managed IDS devices to test the service level agreements in place. The above are just a few of the ways in which IDS Informer can provide value, BLADE software also have consulting partners who are using IDS Informer to provide specific regular audits of their customers IDS system to confirm that the system is still functional. This process was very time-consuming before the availability of IDS Informer as it was mainly a manual process, downloading exploits, building scripts, not easy to repeat the same tests exactly etc. By using IDS Informer consultants have been able to massively reduce the time to complete the tests and therefore maximizing their revenue earning potential So how does it work? IDS Informer uses pre-captured network traffic of an attack from start to finish. Using the advanced replay options the traffic is transmitted through a single network card simulating the original transmission. the advanced replay options allow IDS Informer to: Spoof source and destination IP addresses Source MAC addresses Control the rate of transmission on a per attack and per packet basis Transmit in both a stateful and stateless manner and Loop attack continuously. As IDS Informer replaces the relative fields in each packet of the original capture with the new information, it recalculates the IP and TCP pseudo headers and creates new sequence numbers in accordance with the standards used for each source and destination operating system before transmitting the packets. This ensures that when looping attacks each iteration of the loop is transmitted as a unique data stream. It is important to fully understand the inspection techniques used by the IDS being tested to ensure an accurate test. To an IDS that incorporates bi-directional inspection, a stateful transmission from IDS Informer is identical to the real attack. As a number if IDS solutions currently available use uni-directional inspection techniques, a routed or stateless transmission will still appear to be identical to the original attack. ------------------------------------------------------------------- Brian Laing CTO Blade Software Cellphone: +1 650.280.2389 Telephone: +1 650.367.9376 eFax: +1 650.249.3443 Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com ------------------------------------------------------------------- -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul B. Poh Sent: Monday, April 28, 2003 5:51 AM To: Joe Horton Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Is there a program to test snort rules? I've found sneeze to be occasionally useful, which according to the snort faq can be found at: http://snort.sourceforge.net/sneeze-1.0.tar Something like snot is also be used to generator noise from snort rules similar to stick (I believe). Snot can be found at http://www.stolenshoes.net/sniph/index.html Joe Horton wrote:
Heres something i found that says it can test snort rules but its not for download :( http://www.eurocompton.net/stick/projects8.html
Anyone
know if theres something similar that i can use to test rules?
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Is there a program to test snort rules? Joe Horton (Apr 26)
- RE: Is there a program to test snort rules? Michael Steele (Apr 26)
- Re: Is there a program to test snort rules? Paul B. Poh (Apr 28)
- RE: Is there a program to test snort rules? Brian Laing (Apr 28)