[Snort-users] need some attacks to test snort

Joel Esler joel.esler at ...1935...
Sun Apr 22 14:49:20 EDT 2007


I know www.testmyids.com has worked for some people.


+---------------------------------------------------------------------+
Joel Esler                                         Security Consultant
     gpg key: http://demo.sourcefire.com/jesler.pgp.key
+---------------------------------------------------------------------+



On Apr 22, 2007, at 12:12 PM, Benjamin Small wrote:

> Hi Fossil,
>
> There are several ways to test snort and to debug issues. If you  
> are concerned
> that snort isn't seeing the traffic you wish to detect, then you  
> will want to
> tcpdump on the interface and initiate traffic between the hosts you  
> want to
> monitor. There are a quite a few vulnerability scanners you can use  
> to test a
> snort sensor. These softwares can be complicated and are a little  
> overkill if
> you just want to ensure your snort sensor is firing properly.
>
> A great way to test snort's ability to fire a signature with out  
> having to
> install a complicated vulnerability scanner is to use netcat and  
> telnet.
> Using netcat to initiate a listening port on a remote host, say  
> port 80. You
> can then telnet to the listener and feed it raw HTTP protocol. For  
> example,
> once connected feed it:
>
> GET /etc/passwd HTTP/1.1<ENTER>
> <ENTER>
>
> Press enter instead of typing <ENTER>, but this will simulate a  
> browser
> requestion the /etc/passwd file on a webserver. This should fire
> the /etc/passwd signature, confirming the sensor is operating  
> correctly.
>
> Regards,
> Benjamin
>
> On Friday 20 April 2007 02:08, Patrick S. Harper wrote:
>> Nessus will do that, he just mentioned that if your curently  
>> reciving ICMP
>> alerts then you know Snort is runing. You also look might look at
>> metasploit.
>>
>>> -----Original Message-----
>>> From: snort-users-bounces at lists.sourceforge.net [mailto:snort-users-
>>> bounces at lists.sourceforge.net] On Behalf Of Fossil
>>> Sent: Friday, April 20, 2007 12:43 AM
>>> To: snort-users at lists.sourceforge.net
>>> Subject: Re: [Snort-users] need some attacks to test snort
>>>
>>> Thank you Joel
>>> Sure, I will try BASE. About the ICMP, ya thats true but i want to
>>> study more about how this rules get fired and how attacks are  
>>> made, so
>>> i was looking for more attacks for my understanding and learning  
>>> about
>>> the network security. so if you have more info regarding where i can
>>> download those codes i will more than helpful.
>>> best regards
>>> fossil
>>>
>>>
>>>
>>> Fossil,
>>>
>>> #1 -- Don't use ACID, use BASE.  http://base.secureideas.net
>>> #2 -- You can use something like nessus to make Snort alert to make
>>> sure it's generating alerts, however, if you already receiving ICMP
>>> alerts, then you know it working properly.
>>>
>>> Joel
>>>
>>> +------------------------------------------------------------------- 
>>> --+
>>> Joel Esler                                         Security  
>>> Consultant
>>>      gpg key: http://demo.sourcefire.com/jesler.pgp.key
>>> +------------------------------------------------------------------- 
>>> --+
>>>
>>> On Apr 19, 2007, at 9:43 PM, Fossil wrote:
>>>> Hello every one
>>>> i have installed snort and Acid
>>>> now i need some attacks - code by which i can check snort. i mean
>>>> some example code, script by running that on other machine, the
>>>> snort generates alert.
>>>>
>>>> is there a site where i can download some attacks for testing
>>>> purpose. i have the ICMP or ping based attacks but i want other
>>>> ones. is there a source where i can download that code
>>>>
>>>> any help will be appreciated
>>>> Thanks and regards
>>>> fossil
>>>
>>> ________________________________
>>>
>>> Ahhh...imagining that irresistible "new car" smell?
>>> Check out new cars at Yahoo! Autos.
>>> <http://us.rd.yahoo.com/evt=48245/*http://autos.yahoo.com/ 
>>> new_cars.html
>>> ;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWlsdGFncwRzbGsDbmV3LW 
>>> Nhc
>>> nM->
>>
>> --------------------------------------------------------------------- 
>> ----
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ---------------------------------------------------------------------- 
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list