Re: Trigger events

[Nick Moore <nmoore () sourcefire com>]

Dwane,

It depends:

1. If you are inline between your switch and another network device, you
will see all the traffic between those two devices.

2. If you are passively monitoring a port on the switch, make sure you have
configured a SPAN correctly. Here is a link for some Cisco switches:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml.
If your switch is not in the list here, Google is your friend.

3. To generate events, there's a lot of methods that work. The easiest is to
write a custom rule for a specific workstation using normal traffic, like
surfing a web page. For more interesting events, connect your Snort
interface directly to the Internet. You should see some random attacks
pretty quickly. You could try Metasploit and other attack generators, but
these usually entail having a couple of machines up at the same time and can
be a little more complicated. Be aware that attack simulators that do not
include a complete established session between two workstations may not
trigger a Snort rule if it has flow established in it. Last, nmap will not
usually generate a lot of interesting events outside of the portscan
preprocessor.

Hope this helps.

Nick

On Wed, Jan 5, 2011 at 9:12 AM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:

> We am testing snort in our testing environment.  Once completed, we am sure
> our switch will not generate enough traffic to trigger events.  Is there an
> application that will allow us to trigger these events in a test
> environment?
>
>
>
> Thank you
>
>
>
> Dwane
>
>
>
>
> ------------------------------------------------------------------------------
> Learn how Oracle Real Application Clusters (RAC) One Node allows customers
> to consolidate database storage, standardize their database environment,
> and,
> should the need arise, upgrade to a full multi-node Oracle RAC database
> without downtime or disruption
> http://p.sf.net/sfu/oracle-sfdevnl
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-- 
Nick Moore, SFCE, CISSP, CISA
Sr. Systems Engineer
Voice 708-336-9041
Email nick.moore () sourcefire com
IM    nickgmoore (Yahoo)
       nickgmoore38 (AIM)

    ,,_
   o"  )~   Sourcefire - The Creators of Snort
    ''''

www.sourcefire.com         www.snort.org

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users