[Snort-users] Testing Snort

dmuz dmuz at ...2089...
Thu May 31 11:38:10 EDT 2001


On Thu, May 31, 2001 at 09:01:17AM -0700, Rich Phelps said:
> Good Morning,

mornin'

> Im running black ice defender and snort 1.7 on my network. Black Ice has
> picked up several probes over the night but snort hasnt logged a thing. Im
> currently using the signatures from www.whitehats.com . Is there any way I
> can test snort out?

There are two questions here. First, why is BlackIce seeing things that
snort is not. Second, how can you test snort. 

1.) I'll assume that you have snort configured in a way that it can
"see" the traffic in question. For example on a hub or spanned port of a
switch. The answer is probably very simple, BlackIce is configured to
alert for types of traffic that snort does not consider an attack. It has
been my experience that BlackIce (and others) can be a little to
sensitive. Snort is probably just being a little more discriminating
After all, what good is an IDS if you get so many false alerts that you
can not pick out the true ones? The bottom line is snort will log what
you tell it to log via the rules. Not getting enough alerts? Add more
rules... :)

2.) If you want to test snort. Start by scanning it. If you have access
to a *nix system download nmap and port  scan the machine running snort.
Go over the http://packetstorm.securify.com/ and download some exploit
code (how about jill.c or some other recent crack) and run that against
your snort box. Ping it, prod it, poke it.. see what it does.. 

cheers,
-- 
dmuz
http://sec.angrypacket.com/




More information about the Snort-users mailing list