[Snort-devel] Snort >= 2.1.3 TCP/IP options bug

Evrim ULU evrim at ...1988...
Mon Oct 25 15:07:05 EDT 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Chris Green wrote:
<snip/>

| I think dan & marc cooked up a very simple comparison perl script back
| when they were working on the 2.0 detection engine.  The biggest
| weakness I had was that it was output dependant and a bit of pain to
| add new tests to.
|

Currently don't have any unit testing framework suggestion but here are
my basic ideas about box testing.

First to test a rule, one needs:

* a sample malicious packet. (i.e. pcap file).
* the rule itself
* and and output plugin that shows us "SNORT MATCHED RULE NUMBER X"
(i.e. rule id="159" which represents the tested rule)

After collecting above data, a framework can be written via following
the basic methodology:

* Put rule to snort.conf
* Run snort
* Feed pcap
* Examine output for matches.

The methology is simple. I think snort needs one special testing output
plugin, a pseudo device to feed the packet (or i remember that it can
read from file), and a snort runner wrapper.

I think Chris worked on snort runner wrapper. I remember our
conversation about tcp stream4 testing. If Chris can publish the wrapper
I'll be glad and examine it.

I really don't get idea about snort.conf file format. Why it's not XML
although there exists a technology called JAXB(Xml Bindings for Java or
Castor)? Anyway, snort team has the parser and can author snort.conf
preparer for tests.

Also, one needs a packet generator. The main basic idea is, one can
generate a pcap packet file for a rule but maintaining the test packet
database is pain in the ass. So, a plugin or a code must be written to
generate a alert packet from a given rule. Randomness can be injected to
that plugin since it generates packets runtime.

To sum up, box testing can be done without too much effort. It obviously
does not replace unit tests but will be sufficient for a start. The idea
discussed here is simply for detection engine.

PS: Protocol decoding testing is somewhat cumbersome for me now. Looked
for an opensource one but found none. It won't be a diffucult task if
decoders are designed as components and sign a *plugin interface* but
snort's plugin design is not what i was expecting(sigh.). Prelude has
more flexible one afaik. Hope i'll finish my Cocoon hacking and skim
snorts' code cos' i haven't read a line since 1.5 years. (sorry:()

Evrim.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBfPZ2R2rUfDW+YFIRAg/9AJ42TKJH/IksBZKXANWyonjU+UQGsgCfdmcz
W52pd+OSwOe41uh0kMhdd4g=
=3g6Q
-----END PGP SIGNATURE-----




More information about the Snort-devel mailing list