[Snort-users] false positive generator
Dirk_Geschke at ...1344...
Wed Feb 11 06:03:03 EST 2004
> Don't get me wrong, I am all for these stateless attack tools - they
> serve their purpose. I just thought that if you were trying to populate
> a database with "real" attacks they might not be the best way to do it -
> I misunderstood your intentions - sorry.
> If you are looking to verify maximum insert rates, etc, you could still
> use real exploit traffic, captured with tcpdump and replayed under
> script control via tcpreplay - probably more controllable than
> Stick/Snot/Sneeze and no need to invest in fancy tools.
Of course you right, but if I don't have captured attacks? Or is
there a place where I can find captured tcpdump files full of alerts?
And one other point is: If you just want to test if a new keyword
works as designed it could be helpful to build a packet which
should trigger an alert. If this alert matches to a real attack
is another question...
More information about the Snort-users