[Snort-users] testing IDS

Martin Roesch roesch at ...1935...
Mon Jun 27 20:16:05 EDT 2005


There are better ways to test Snort.  Snort doesn't have a formal  
programmatic SYN flood detector but you could probably write a  
threshold rule that would give you the capability in about 10 minutes.

A better idea would be to go get metasploit or the Exploitation  
Framework at http://www.securityforest.com/wiki/index.php/ 
Exploitation_Framework to generate some attacks.  Snort has never  
really concentrated on rate-based DoS detection.  Usually you can  
tell when you're getting hit by a rate-based DoS without a whole lot  
in the way of IDS... :)

       -Marty


On Jun 21, 2005, at 12:58 AM, Geries Handal wrote:

> HI...
>
> I donwload a couple of tools form this site:
>
> http://www.antiserver.it/Denial-Of-Service/
>
> The tools were:
>
> APSEND v1.60 and
>
> Datapool v3.3
>
> I used them to test my linux box with snort, but i don't get any  
> alerts on any of the atacks, only portscans and portsweeps but no  
> DoS attacks. For example with apsend you can genered a syn flood  
> DoS... but snort will not generate and alerts...
>
> So i like to know what i'm doing wrong or is there a better way to  
> test snort...
>
> Thanks
> Geries Handal
>
> _________________________________________________________________
> Don't just search. Find. Check out the new MSN Search! http:// 
> search.msn.click-url.com/go/onm00200636ave/direct/01/
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http:// 
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http:// 
www.snort.org







More information about the Snort-users mailing list