[Snort-users] Performance Testing

Matt Kettler mkettler at ...4108...
Wed Jul 30 13:58:08 EDT 2003

At 12:30 PM 7/30/2003 -0700, Aaron Babalola wrote:
>I need assistance in testing the performance of my snort IDS, i have 
>activated some rules, but the only test i can is port scanner. I need 
>someone to suggest the necessary tools and methology to test that mu IDSis 
>really working

I'd suggest running some things that actually look more like an attack than 
a trivial run-of-the-mill portscan (yawn).

nessus and nmap are good tools to start with.

If you really want to test that every rule in the entire configuration is 
working, well, that's a lot more work as you'll have to find a copy of the 
tools that generate every attack that snort detects.. ouch.

Another way to check you snort sensor is to create a simple rule that 
alerts on every packet going by, and temporarily add it to your ruleset.. 
you should see a LOT of alerts this way, and it will also give you a quick 
verification as to what kinds of traffic flows in your network your snort 
box is seeing and processing. (admittedly just running tcpdump will do 
close to the same thing, but this will also pick up problems like 
configuring snort for the wrong interface, etc).

More information about the Snort-users mailing list