[Snort-users] signature testing (win32)

Robby Desmond rdesmond at ...6547...
Sun Sep 15 18:31:01 EDT 2002


At 12:06 AM 9/11/02 +0000, netsec novice wrote:
>Have SNORT/ACID set up and would like to verify that I'm detecting traffic 
>on required subnets.  I have seen reference to a tool called 'sneeze' that 
>will generate false alarms but I have not been able to find it.  Is there 
>another way I can verify my setup by creating alerts that won't be destructive?
>
>thanks

http://www.snort.org/docs/faq.html#4.18

4.18 --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--
Q: How do I test snort alerts and logging?

A: Try a rule that will fire off all the time like:
         alert tcp any any -> any any (msg:"TCP traffic";)
Also take a look at sneeze at http://snort.sourceforge.net/sneeze-1.0.tar 
Sneeze is a false positive generator that reads snort signatures and 
generates packets that will
trigger the rules.
  --faq-- --snort-- --faq-- --snort-- --faq-- --snort-- --faq--


To quote an amazingly useful resource.
-Robby

Robert Desmond
Systems Administrator
UCSB Extended Learning Services
805-893-4906





More information about the Snort-users mailing list