[Snort-users] false positive generator

Dirk Geschke Dirk_Geschke at ...1344...
Wed Feb 11 06:03:03 EST 2004


Hi Bob,

> Don't get me wrong, I am all for these stateless attack tools - they
> serve their purpose. I just thought that if you were trying to populate
> a database with "real" attacks they might not be the best way to do it -
> I misunderstood your intentions - sorry.

no problem...
 
> If you are looking to verify maximum insert rates, etc, you could still
> use real exploit traffic, captured with tcpdump and replayed under
> script control via tcpreplay - probably more controllable than
> Stick/Snot/Sneeze and no need to invest in fancy tools.

Of course you right, but if I don't have captured attacks? Or is
there a place where I can find captured tcpdump files full of alerts?

And one other point is: If you just want to test if a new keyword
works as designed it could be helpful to build a packet which 
should trigger an alert. If this alert matches to a real attack
is another question...

Best regards

Dirk





More information about the Snort-users mailing list