Snort mailing list archives
RE: testing snorts
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Mon, 12 Sep 2005 11:43:54 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you do use those tools, beware of Snort's stream4 preprocessor, which does not log an alert until a complete three-way handshake has completed. This eliminates noise from snot, stick, and other variants. You all may also want to check out IDS Informer. This is a software package designed to create a large number of alerts. It actually simulates the victim host and completes the three-way handshake. It is commercial and is available from Blade Software (http://www.bladesoftware.net/prod_ids.html) Disabling/commenting out stream4 should do the trick.. I'm sure others may have a different method but this does seem to work for me when needing to light Snort up. # stream4: stateful inspection/stream reassembly for Snort #--------------------------------------------------------------------- - - # Use in concert with the -z [all|est] command line switch to defeat stick/snot # against TCP rules. Also performs full TCP stream reassembly, stateful # inspection of TCP streams, etc. Can statefully detect various portscan # types, fingerprinting, ECN, etc. Best Regards, Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - ------------------------------------------------------------- PGP Fingerprint: 0FBA 28D4 C5C7 DF27 AE2C AFC6 0519 DB2C CDB3 7914 - ------------------------------------------------------------- Headquarters: 1095 Pingree Rd. Suite 213 Crystal Lake, IL 60014 Tel: (877) 262-7593 e:327 Fax: (877) 262-7593 Mob: (847) 456-6785 Web: http://www.appliedwatch.com Virginia Office (Intelligence/Dept. of Defense Service Area) Cleared Personnel: TS/SCI with Polygraph 4524 Waverly Crossing Lane Chantilly, Va. 20151 Tel: (877) 262-7593 Fax: (877) 262-7593 - ------------------------------------------------------------- Enterprise Snort Management at http://www.appliedwatch.com Security Information Management for the Open Source Enterprise. - ------------------------------------------------------------- ________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Kretzer, Jason R (Big Sandy) Sent: Monday, September 12, 2005 10:13 AM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] testing snorts If I am not mistaken, nmap and nessus makes snort go crazy with alerts. - -Jason ________________________________ From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of snort sara Sent: Monday, September 12, 2005 11:07 AM To: snort-users () lists sourceforge net Subject: [Snort-users] testing snorts Hi all, I need t show a demonstratoin of snort by showing some kinds of intrusuins that snort alerts on, do any one has a good testing tools to test snort? any reply will be appreciated. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQyWwSQUZ2yzNs3kUEQIB1ACg8QEqsBXhPuVpHgwtKxcg+t4BLu4AoN1Y B1cozEWk25Q8QUej3AXV3YmJ =btsq -----END PGP SIGNATURE----- ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- testing snorts snort sara (Sep 12)
- <Possible follow-ups>
- RE: testing snorts Kretzer, Jason R (Big Sandy) (Sep 12)
- RE: testing snorts Eric Hines (Sep 12)