RE: testing snorts

["Eric Hines" <eric.hines () appliedwatch com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you do use those tools, beware of Snort's stream4 preprocessor,
which does not log an alert until a complete three-way handshake has
completed. This eliminates noise from snot, stick, and other
variants. You all may also want to check out IDS Informer. This is a
software package designed to create a large number of alerts. It
actually simulates the victim host and completes the three-way
handshake. It is commercial and is available from Blade Software
(http://www.bladesoftware.net/prod_ids.html)

Disabling/commenting out stream4 should do the trick.. I'm sure
others may have a different method but this does seem to work for me
when needing to light Snort up.


# stream4: stateful inspection/stream reassembly for Snort
#---------------------------------------------------------------------
- -
# Use in concert with the -z [all|est] command line switch to defeat
stick/snot
# against TCP rules.  Also performs full TCP stream reassembly,
stateful
# inspection of TCP streams, etc.  Can statefully detect various
portscan
# types, fingerprinting, ECN, etc.



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- -------------------------------------------------------------
PGP Fingerprint: 0FBA 28D4 C5C7 DF27 AE2C 
                 AFC6 0519 DB2C CDB3 7914
- -------------------------------------------------------------
Headquarters:
1095 Pingree Rd.
Suite 213
Crystal Lake, IL 60014
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com 

Virginia Office (Intelligence/Dept. of Defense Service Area)
Cleared Personnel: TS/SCI with Polygraph
4524 Waverly Crossing Lane
Chantilly, Va. 20151
Tel: (877) 262-7593
Fax: (877) 262-7593
- -------------------------------------------------------------
Enterprise Snort Management at http://www.appliedwatch.com 
Security Information Management for the Open Source Enterprise.
- -------------------------------------------------------------


  

 

________________________________

From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
Kretzer, Jason R (Big Sandy)
Sent: Monday, September 12, 2005 10:13 AM
To: snort-users () lists sourceforge net
Subject: RE: [Snort-users] testing snorts


 
If I am not mistaken, nmap and nessus makes snort go crazy with
alerts.
 
- -Jason


________________________________

        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort
sara
        Sent: Monday, September 12, 2005 11:07 AM
        To: snort-users () lists sourceforge net
        Subject: [Snort-users] testing snorts
        
        
        Hi all,
        
        I need t show a demonstratoin of snort by showing some kinds of
intrusuins that snort alerts on, do any one has a good testing tools
to test snort?
        
        any reply will be appreciated.
        
        
        


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQyWwSQUZ2yzNs3kUEQIB1ACg8QEqsBXhPuVpHgwtKxcg+t4BLu4AoN1Y
B1cozEWk25Q8QUej3AXV3YmJ
=btsq
-----END PGP SIGNATURE-----



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users