Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Performance Testing

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 30 Jul 2003 16:56:22 -0400
At 12:30 PM 7/30/2003 -0700, Aaron Babalola wrote:

Hi
I need assistance in testing the performance of my snort IDS, i have activated some rules, but the only test i can is port scanner. I need someone to suggest the necessary tools and methology to test that mu IDSis really working 
OLusola
I'd suggest running some things that actually look more like an attack than a trivial run-of-the-mill portscan (yawn). 

nessus and nmap are good tools to start with.
If you really want to test that every rule in the entire configuration is working, well, that's a lot more work as you'll have to find a copy of the tools that generate every attack that snort detects.. ouch.
Another way to check you snort sensor is to create a simple rule that alerts on every packet going by, and temporarily add it to your ruleset.. you should see a LOT of alerts this way, and it will also give you a quick verification as to what kinds of traffic flows in your network your snort box is seeing and processing. (admittedly just running tcpdump will do close to the same thing, but this will also pick up problems like configuring snort for the wrong interface, etc). 



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: