[Snort-users] need some attacks to test snort

Benjamin Small benjamin.small83 at ...11827...
Sun Apr 22 12:12:59 EDT 2007


Hi Fossil,

There are several ways to test snort and to debug issues. If you are concerned 
that snort isn't seeing the traffic you wish to detect, then you will want to 
tcpdump on the interface and initiate traffic between the hosts you want to 
monitor. There are a quite a few vulnerability scanners you can use to test a 
snort sensor. These softwares can be complicated and are a little overkill if 
you just want to ensure your snort sensor is firing properly.

A great way to test snort's ability to fire a signature with out having to 
install a complicated vulnerability scanner is to use netcat and telnet. 
Using netcat to initiate a listening port on a remote host, say port 80. You 
can then telnet to the listener and feed it raw HTTP protocol. For example, 
once connected feed it:

GET /etc/passwd HTTP/1.1<ENTER>
<ENTER>

Press enter instead of typing <ENTER>, but this will simulate a browser 
requestion the /etc/passwd file on a webserver. This should fire 
the /etc/passwd signature, confirming the sensor is operating correctly.

Regards,
Benjamin

On Friday 20 April 2007 02:08, Patrick S. Harper wrote:
> Nessus will do that, he just mentioned that if your curently reciving ICMP
> alerts then you know Snort is runing. You also look might look at
> metasploit.
>
> > -----Original Message-----
> > From: snort-users-bounces at lists.sourceforge.net [mailto:snort-users-
> > bounces at lists.sourceforge.net] On Behalf Of Fossil
> > Sent: Friday, April 20, 2007 12:43 AM
> > To: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] need some attacks to test snort
> >
> > Thank you Joel
> > Sure, I will try BASE. About the ICMP, ya thats true but i want to
> > study more about how this rules get fired and how attacks are made, so
> > i was looking for more attacks for my understanding and learning about
> > the network security. so if you have more info regarding where i can
> > download those codes i will more than helpful.
> > best regards
> > fossil
> >
> >
> >
> > Fossil,
> >
> > #1 -- Don't use ACID, use BASE.  http://base.secureideas.net
> > #2 -- You can use something like nessus to make Snort alert to make
> > sure it's generating alerts, however, if you already receiving ICMP
> > alerts, then you know it working properly.
> >
> > Joel
> >
> > +---------------------------------------------------------------------+
> > Joel Esler                                         Security Consultant
> >      gpg key: http://demo.sourcefire.com/jesler.pgp.key
> > +---------------------------------------------------------------------+
> >
> > On Apr 19, 2007, at 9:43 PM, Fossil wrote:
> > > Hello every one
> > > i have installed snort and Acid
> > > now i need some attacks - code by which i can check snort. i mean
> > > some example code, script by running that on other machine, the
> > > snort generates alert.
> > >
> > > is there a site where i can download some attacks for testing
> > > purpose. i have the ICMP or ping based attacks but i want other
> > > ones. is there a source where i can download that code
> > >
> > > any help will be appreciated
> > > Thanks and regards
> > > fossil
> >
> > ________________________________
> >
> > Ahhh...imagining that irresistible "new car" smell?
> > Check out new cars at Yahoo! Autos.
> > <http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/new_cars.html
> > ;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LWNhc
> > nM->
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list