[Snort-users] testing snorts

Eric Hines eric.hines at ...8860...
Mon Sep 12 09:45:10 EDT 2005


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you do use those tools, beware of Snort's stream4 preprocessor,
which does not log an alert until a complete three-way handshake has
completed. This eliminates noise from snot, stick, and other
variants. You all may also want to check out IDS Informer. This is a
software package designed to create a large number of alerts. It
actually simulates the victim host and completes the three-way
handshake. It is commercial and is available from Blade Software
(http://www.bladesoftware.net/prod_ids.html)

Disabling/commenting out stream4 should do the trick.. I'm sure
others may have a different method but this does seem to work for me
when needing to light Snort up.


# stream4: stateful inspection/stream reassembly for Snort
#---------------------------------------------------------------------
- -
# Use in concert with the -z [all|est] command line switch to defeat
stick/snot
# against TCP rules.  Also performs full TCP stream reassembly,
stateful
# inspection of TCP streams, etc.  Can statefully detect various
portscan
# types, fingerprinting, ECN, etc.



Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
- -------------------------------------------------------------
PGP Fingerprint: 0FBA 28D4 C5C7 DF27 AE2C 
                 AFC6 0519 DB2C CDB3 7914
- -------------------------------------------------------------
Headquarters:
1095 Pingree Rd.
Suite 213
Crystal Lake, IL 60014
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com 

Virginia Office (Intelligence/Dept. of Defense Service Area)
Cleared Personnel: TS/SCI with Polygraph
4524 Waverly Crossing Lane
Chantilly, Va. 20151
Tel: (877) 262-7593
Fax: (877) 262-7593
- -------------------------------------------------------------
Enterprise Snort Management at http://www.appliedwatch.com 
Security Information Management for the Open Source Enterprise.
- -------------------------------------------------------------


  

 

________________________________

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of
Kretzer, Jason R (Big Sandy)
Sent: Monday, September 12, 2005 10:13 AM
To: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] testing snorts


 
If I am not mistaken, nmap and nessus makes snort go crazy with
alerts.
 
- -Jason


________________________________

	From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of snort
sara
	Sent: Monday, September 12, 2005 11:07 AM
	To: snort-users at lists.sourceforge.net
	Subject: [Snort-users] testing snorts
	
	
	Hi all,
	
	I need t show a demonstratoin of snort by showing some kinds of
intrusuins that snort alerts on, do any one has a good testing tools
to test snort?
	
	any reply will be appreciated.
	
	
	


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQyWwSQUZ2yzNs3kUEQIB1ACg8QEqsBXhPuVpHgwtKxcg+t4BLu4AoN1Y
B1cozEWk25Q8QUej3AXV3YmJ
=btsq
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list