Re: false positive generator

[Dirk Geschke <Dirk_Geschke () genua de>]

Hi all,

> > I am currently using  snort-2.1.1-RC1 and am trying to use
> > sneeze to 
> > generate some false positves.  However, it does not seem to
> > work at all 
> > (as mentioned previously).  Does anyone know if there's
> > another false 
> > positive generator out ther? 
>
> Have you tried disabling stream4?  I don't know how sneeze works
> but if it doesn't build legit TCP sessions I don't think Snort
> will bother with it.  Can anyone confirm this?

yes of course. It would be difficult (but not impossible) to build
a false positive generator which is able to create established 
connections. The big question is: Would it be useful or would it
lead to DoS attacks against snort sensors? 

Ok, you must have either two machines on the monitored network 
or direct access to the snort sensor to fake responses.

One other false-positive-generator is the program "fpg" as 
part of FLoP (http://www.geschke-online.de/FLoP). This
generator understands some more snort keywords and works
much faster. (Indeed you can create drop rates with it.)

But to use it you have either to remove the "established"
keywords from the rule or disable the stream4 preprocessor.

Best regards

Dirk



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users