[Snort-users] Is there a program to test snort rules?

Brian Laing Brian.Laing at ...8609...
Mon Apr 28 07:58:10 EDT 2003

IT really depends on what you want to test.

If you only want to test has the rule been applied and is the rule
working the way it was written then Stick works very well for this.
However if you want to test whether a rule is WRITTEN correctly then the
only way is to use either our companies IDS Informer tool, or run real
exploits in front of the IDS.  Only these last two methods will test 1.
The rule has been applied to the sensor and 2 is the rule written

Information on Informer below beware marketing info past this point :-)

IT Security Professionals to date have had no effective and easy way to
independently test and verify their Intrusion Detection System (IDS).
All companies that have purchased and deployed IDS systems to date have
had no way of easily validating that the system is doing what it was
purchased to do, i.e. defend and alert against actual attacks.

IDS Informer has been designed from the ground up to help security,
network and audit teams test and confirm that intrusion detection
systems deployed as a key and critical line of defense are working
correctly, are running the correct policy, are monitoring the correct
network segment, are picking up the latest attacks and are responding in
the correct manner. 

IDS Informer is designed to be able to be used in live production
environments and it therefore utilizes a unique method of being able to
inject attacks in a completely controlled, safe and repeatable manner.
It is the ideal solution for fully testing an intrusion detection system
and should be used in the 3 stages of IDS deployment listed below: 

Vendor Selection
It can be used to easily test the differences of the various IDS
products out there, looking for things like attack recognition,
performance testing to see how the IDS operates under load, testing the
management interface to see how "useable" the IDS is in a real world
environment. All of the tests are easily repeatable so that you can be
sure that each product being tested is looked at under the same

IDS Deployment
Before an IDS goes into a live production environment the connections to
the management system should be verified, the policy should be
extensively tested to ensure that it is configured correctly and in
accordance with the organizations security policies, attack signatures
need to be finely tuned to reduce overhead of false positives, any user
defined responses and actions need to be tested and the IDS set up
should be verified to ensure it is monitoring the correct network

Live System
When the IDS is in production it should be tested after each policy
change and update to confirm all functionality is still operational,
random fire drill tests should be undertaken to ensure escalation
policies are working effectively, repeated testing and simulation needs
to be undertaken when investigating events, service level agreements
should be tested if the management of the IDS has been outsourced to a
3rd party. If a managed security company is providing the monitoring
capabilities generally they will have tight service level agreements to
state that when an attack is picked up the customer will be notified
within a certain time frame, if the customer is not notified within that
timeframe then discounts can be applied to the monthly management fees
incurred. By using IDS Informer the customer can run random tests
against their managed IDS devices to test the service level agreements
in place.

The above are just a few of the ways in which IDS Informer can provide
value, BLADE software also have consulting partners who are using IDS
Informer to provide specific regular audits of their customers IDS
system to confirm that the system is still functional. This process was
very time-consuming before the availability of IDS Informer as it was
mainly a manual process, downloading exploits, building scripts, not
easy to repeat the same tests exactly etc. By using IDS Informer
consultants have been able to massively reduce the time to complete the
tests and therefore maximizing their revenue earning potential

 So how does it work?  

IDS Informer uses pre-captured network traffic of an attack from start
to finish.  Using the advanced replay options the traffic is transmitted
through a single network card simulating the original transmission. the
advanced replay options allow IDS Informer to:

Spoof source and destination IP addresses 

Source MAC addresses 

Control the rate of transmission on a per attack and per packet basis 

Transmit in both a stateful and stateless manner and 

Loop attack continuously.  

As IDS Informer replaces the relative fields in each packet of the
original capture with the new information, it recalculates the IP and
TCP pseudo headers and creates new sequence numbers in accordance with
the standards used for each source and destination operating system
before transmitting the packets.  This ensures that when looping attacks
each iteration of the loop is transmitted as a unique data stream. 

It is important to fully understand the inspection techniques used by
the IDS being tested to ensure an accurate test. To an IDS that
incorporates bi-directional inspection, a stateful transmission from IDS
Informer is identical to the real attack. As a  number if IDS solutions
currently available use uni-directional inspection techniques, a routed
or stateless transmission will still appear to be identical to the
original attack.  

Brian Laing
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650.367.9376
eFax:         +1 650.249.3443
Blade Software - Because Real Attacks Hurt

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul B.
Sent: Monday, April 28, 2003 5:51 AM
To: Joe Horton
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Is there a program to test snort rules?

I've found sneeze to be occasionally useful, which according to the 
snort faq can be found at: http://snort.sourceforge.net/sneeze-1.0.tar

Something like snot is also be used to generator noise from snort rules 
similar to stick (I believe). Snot can be found at 

Joe Horton wrote:
> Heres something i found that says it can test snort rules but its not 
> for download :(  http://www.eurocompton.net/stick/projects8.html
> know if theres something similar that i can use to test rules?

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list