[Snort-users] false positive generator
bwalder at ...1926...
Wed Feb 11 05:41:02 EST 2004
Don't get me wrong, I am all for these stateless attack tools - they
serve their purpose. I just thought that if you were trying to populate
a database with "real" attacks they might not be the best way to do it -
I misunderstood your intentions - sorry.
If you are looking to verify maximum insert rates, etc, you could still
use real exploit traffic, captured with tcpdump and replayed under
script control via tcpreplay - probably more controllable than
Stick/Snot/Sneeze and no need to invest in fancy tools.
>> -----Original Message-----
>> From: snort-users-admin at lists.sourceforge.net
>> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf
>> Of Dirk Geschke
>> Sent: 11 February 2004 13:07
>> To: bwalder at ...1926...
>> Cc: 'Dirk Geschke'; 'Matt Kettler'; 'Peggy Kam';
>> snort-users at lists.sourceforge.net; Dirk_Geschke at ...1344...
>> Subject: Re: [Snort-users] false positive generator
>> Hi Bob,
>> > Perhaps I am missing something, but why do you want to
>> generate false
>> > positives exactly? Unless you are attempting to demonstrate how a
>> > sensor handles (or does not handle) false positives (i.e. in this
>> > case, I think you are really talking about stateless attacks, ones
>> > where the 3-way handshake has not occurred and only
>> payload is being
>> > sent) then tools like Stick/Sneeze/Snot are not much use
>> to you. You
>> > can check out our IDS/IPS reports at www.nss.co.uk/ids if
>> you want to
>> > see how sensors handle stateless attacks and other types of false
>> > positives.
>> maybe someone will do his own tests on stateless attacks?
>> There is of course one valid point to test a sensor. If you
>> see how it works with stateless attacks you can verify how
>> the sensor works with a high attack rate. Think of the
>> behaviour of the output plugins, do they work well on high load?
>> Does snort start to drop packages on this scenario?
>> Yes, of course, you don't get a result for real attacks
>> where the 3-way-handshake must be successfully applied.
>> > Try using real attack traffic replayed using TCPREPLAY, or
>> a tool like
>> > Blade IDS Informer/Firewall Informer which does the same
>> thing but all
>> > wrapped up in a nice GUI and with plenty of pre-defined attacks
>> > included. That way, you will see some "real" attacks
>> appearing in your
>> > database.
>> Yeah, but if you don't have such tools/packets for this
>> tests and you want to create a very high attack rate to see
>> if the database is able to handle it?
>> How about stateless UDP attacks? They are still possible.
>> So if you are able to generate a high load of UDP alerts
>> then it would be likely that snort won't recognize the
>> real TCP attack due to dropping some packets so that he
>> won't see the established connection.
>> I think these are all valid points which would justify to
>> work with such false positive generator.
>> > Be aware that not ALL the test cases included with the
>> Blade software
>> > are good - we tend to use real exploit traffic or test
>> cases we have
>> > generated in house to ensure complete control, but IDS/Firewall
>> > Informer make the replay easy.
>> Not everyone has this kind of environment for tests...
>> For my environment I was simply testing if FLoP is able to
>> work with a very high rate on alerts which should all be
>> saved in a database. So every database has limitations on
>> the INSERT rate which is usually much slower than the possible alert
>> generating of snort.
>> Think of a databas able to insert about 200 alerts per
>> second and an alert rate of 2000 packets per second.
>> Is it possible to store all alerts in the database? Or are
>> some lost? Or does snort drop packets due to a slow output plugin?
>> All these questions can be answered with some tools like the
>> "fpg" program. And that was the idea why I wrote it.
>> I think you may now see why this kind of alert generators
>> may be useful...
>> Best regards
>> The SF.Net email is sponsored by EclipseCon 2004
>> Premiere Conference on Open Tools Development and
>> Integration See the breadth of Eclipse activity. February
>> 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/sno>> rt-users
>> Snort-users list archive:
More information about the Snort-users