[Snort-users] false positive generator

Dirk Geschke Dirk_Geschke at ...1344...
Wed Feb 11 01:29:02 EST 2004


Hi all,

> > I am currently using  snort-2.1.1-RC1 and am trying to use
> > sneeze to 
> > generate some false positves.  However, it does not seem to
> > work at all 
> > (as mentioned previously).  Does anyone know if there's
> > another false 
> > positive generator out ther? 
> > 
> 
> Have you tried disabling stream4?  I don't know how sneeze works
> but if it doesn't build legit TCP sessions I don't think Snort
> will bother with it.  Can anyone confirm this?

yes of course. It would be difficult (but not impossible) to build
a false positive generator which is able to create established 
connections. The big question is: Would it be useful or would it
lead to DoS attacks against snort sensors? 

Ok, you must have either two machines on the monitored network 
or direct access to the snort sensor to fake responses.

One other false-positive-generator is the program "fpg" as 
part of FLoP (http://www.geschke-online.de/FLoP). This
generator understands some more snort keywords and works
much faster. (Indeed you can create drop rates with it.)

But to use it you have either to remove the "established"
keywords from the rule or disable the stream4 preprocessor.

Best regards

Dirk





More information about the Snort-users mailing list