Snort mailing list archives
Re: Trigger events
From: Nick Moore <nmoore () sourcefire com>
Date: Wed, 5 Jan 2011 09:36:22 -0600
Dwane, It depends: 1. If you are inline between your switch and another network device, you will see all the traffic between those two devices. 2. If you are passively monitoring a port on the switch, make sure you have configured a SPAN correctly. Here is a link for some Cisco switches: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml. If your switch is not in the list here, Google is your friend. 3. To generate events, there's a lot of methods that work. The easiest is to write a custom rule for a specific workstation using normal traffic, like surfing a web page. For more interesting events, connect your Snort interface directly to the Internet. You should see some random attacks pretty quickly. You could try Metasploit and other attack generators, but these usually entail having a couple of machines up at the same time and can be a little more complicated. Be aware that attack simulators that do not include a complete established session between two workstations may not trigger a Snort rule if it has flow established in it. Last, nmap will not usually generate a lot of interesting events outside of the portscan preprocessor. Hope this helps. Nick On Wed, Jan 5, 2011 at 9:12 AM, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:
We am testing snort in our testing environment. Once completed, we am sure our switch will not generate enough traffic to trigger events. Is there an application that will allow us to trigger these events in a test environment? Thank you Dwane ------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Nick Moore, SFCE, CISSP, CISA Sr. Systems Engineer Voice 708-336-9041 Email nick.moore () sourcefire com IM nickgmoore (Yahoo) nickgmoore38 (AIM) ,,_ o" )~ Sourcefire - The Creators of Snort '''' www.sourcefire.com www.snort.org
------------------------------------------------------------------------------ Learn how Oracle Real Application Clusters (RAC) One Node allows customers to consolidate database storage, standardize their database environment, and, should the need arise, upgrade to a full multi-node Oracle RAC database without downtime or disruption http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Trigger events Atkins, Dwane P (Jan 05)
- Trigger events evilghost () packetmail net (Jan 05)
- Re: Trigger events Nick Moore (Jan 05)