Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: pcaps for triggering rules

From: Pratik Narang <pratik.cse.bits () gmail com>
Date: Fri, 24 Aug 2012 13:08:07 +0530
Yes, same experience at my end. The tools surely sounds interesting...

On Fri, Aug 24, 2012 at 12:56 PM, Tony Robinson
<deusexmachina667 () gmail com> wrote:

Hm... I just looked for rules2alerts tool via google search and wasn't able
to find it, with quotation marks and all. I consider my google-fu decent,
but there's a chance I could be completely off base here and not searching
for the right thing.

I'm interested in this tool -- could you provide a link for it? copied the
mailing list because this could be useful to everyone here.

Thanks!

-Tony/da667


On Fri, Aug 24, 2012 at 3:15 AM, Gmail Personal <mainmen1985 () gmail com>
wrote:


Pratik,

Google for "rules2alerts". As long as your rules are currently in the
Emerging Threats or sourcefire rule set, you can just create a custom rule
set with the rules you want to test, run rules2alerts and you're set

If you want specific rules from your local.rules set, then I suggest
Scapy, too

That might do the job

Emeka Agu | Sent from  iPad

On 24 Aug 2012, at 07:26, Pratik Narang <pratik.cse.bits () gmail com> wrote:

Dear Snort users,

A good deal of Snort rules do a 'content' check.
Can I use some utility so that I may be able to craft or tamper
packets just to suit them to trigger Snort rules of my choice?
Essentially, I guess, I am asking if I can create sample pcaps or
modify actual pcap captures which will trigger certain rules.


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





--
when does reality end? when does fantasy begin?


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: