[Snort-sigs] Strange question

Matt Kettler mkettler at ...189...
Wed Apr 23 10:45:02 EDT 2003


Erm, why do you want viruses to test a firewall? Viruses aren't even 
relevant to a firewall anyway.. they infect executables, firewalls block 
network attacks. Perhaps you meant worms?

In general using self-replicating code (ie: worms or viruses) as a "test" 
is an extremely reckless and dangerous thing to do.. It's a lot like 
pouring a can of gas on the floor and lighting it to see if the 
fire-sprinkler system works. Even if the floor is concrete, there's still 
much safer tests out there.

Might I suggest looking at nessus scanner or something of the like instead? 
There are lots of tools out there that use the same attacks as network 
worms (which I assume is what you really want) and only manually so they 
won't spread out of control if you accidentally mis-step.

Certainly in your case, it sounds like you're not quite up to the task of 
testing with self-replicating code. It's VERY easy to screw up. When 
professionals (ie: antivirus writers) that do test with live code run their 
tests, they use a separate quarantined network that isn't connected to any 
part of the internet in any way. They do it because even a trained 
professional that handles worms every day can make a mistake and the risks 
of infecting other networks is high.

At 09:01 AM 4/23/2003 -0700, Bryan Irvine wrote:
>I'd like to test out the snort rules I have in place, and download some
>viruses (windows only viruses as I'm on Linux), but after some googling
>I've found (rather expectedly) that no one wants to make viruses
>available for download.  Does anyone have an archive of viruses that I
>could download to test the firewall?





More information about the Snort-sigs mailing list