[Snort-users] testing snorts

Eric Hines eric.hines at ...8860...
Mon Sep 12 09:45:10 EDT 2005

Hash: SHA1

If you do use those tools, beware of Snort's stream4 preprocessor,
which does not log an alert until a complete three-way handshake has
completed. This eliminates noise from snot, stick, and other
variants. You all may also want to check out IDS Informer. This is a
software package designed to create a large number of alerts. It
actually simulates the victim host and completes the three-way
handshake. It is commercial and is available from Blade Software

Disabling/commenting out stream4 should do the trick.. I'm sure
others may have a different method but this does seem to work for me
when needing to light Snort up.

# stream4: stateful inspection/stream reassembly for Snort
- -
# Use in concert with the -z [all|est] command line switch to defeat
# against TCP rules.  Also performs full TCP stream reassembly,
# inspection of TCP streams, etc.  Can statefully detect various
# types, fingerprinting, ECN, etc.

Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- -------------------------------------------------------------
PGP Fingerprint: 0FBA 28D4 C5C7 DF27 AE2C 
                 AFC6 0519 DB2C CDB3 7914
- -------------------------------------------------------------
1095 Pingree Rd.
Suite 213
Crystal Lake, IL 60014
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com 

Virginia Office (Intelligence/Dept. of Defense Service Area)
Cleared Personnel: TS/SCI with Polygraph
4524 Waverly Crossing Lane
Chantilly, Va. 20151
Tel: (877) 262-7593
Fax: (877) 262-7593
- -------------------------------------------------------------
Enterprise Snort Management at http://www.appliedwatch.com 
Security Information Management for the Open Source Enterprise.
- -------------------------------------------------------------




From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
Kretzer, Jason R (Big Sandy)
Sent: Monday, September 12, 2005 10:13 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] testing snorts

If I am not mistaken, nmap and nessus makes snort go crazy with
- -Jason


	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of snort
	Sent: Monday, September 12, 2005 11:07 AM
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] testing snorts
	Hi all,
	I need t show a demonstratoin of snort by showing some kinds of
intrusuins that snort alerts on, do any one has a good testing tools
to test snort?
	any reply will be appreciated.

Version: PGP 8.1


More information about the Snort-users mailing list