Snort mailing list archives
Re: testing IDS
From: Martin Roesch <roesch () sourcefire com>
Date: Mon, 27 Jun 2005 23:14:08 -0400
There are better ways to test Snort. Snort doesn't have a formal programmatic SYN flood detector but you could probably write a threshold rule that would give you the capability in about 10 minutes.
A better idea would be to go get metasploit or the Exploitation Framework at http://www.securityforest.com/wiki/index.php/ Exploitation_Framework to generate some attacks. Snort has never really concentrated on rate-based DoS detection. Usually you can tell when you're getting hit by a rate-based DoS without a whole lot in the way of IDS... :)
-Marty
On Jun 21, 2005, at 12:58 AM, Geries Handal wrote:
HI... I donwload a couple of tools form this site: http://www.antiserver.it/Denial-Of-Service/ The tools were: APSEND v1.60 and Datapool v3.3I used them to test my linux box with snort, but i don't get any alerts on any of the atacks, only portscans and portsweeps but no DoS attacks. For example with apsend you can genered a syn flood DoS... but snort will not generate and alerts...So i like to know what i'm doing wrong or is there a better way to test snort...Thanks Geries Handal _________________________________________________________________Don't just search. Find. Check out the new MSN Search! http:// search.msn.click-url.com/go/onm00200636ave/direct/01/------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616Sourcefire - Network Defense for the Real World - http:// www.sourcefire.com Snort: Open Source Intrusion Detection and Prevention - http:// www.snort.org
------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- testing IDS Geries Handal (Jun 27)
- Re: testing IDS Martin Roesch (Jun 27)