[Snort-users] Help to run snort on linux machine

Adam Richards adam.richards at ...14685...
Wed Apr 7 09:08:30 EDT 2010


On the attacking host create a packet by first putting the desired payload into a text file. 

vi payload.txt

AAAAAAAAAAAAAAAAAAAAAAAAA


Then create the packet with the following properties and send it to 192.168.1.22 (or whatever your host is): 
set PUSH tcp flag, interface eth0, source port 2424 destination port 81, packet body size 26 and packet data from file payload.txt 

hping3 -P -i eth0 -s 3434 -p 81 -d 26 -E ./payload.txt 192.168.1.1 (or whatever another host on your network is)



On the SNORT host "tail -f /var/log/snorttest/alert" shows that SNORT has been alerted through rule 1394 (sid) which is exactly the one we wanted to test:

 

Adam Richards,CISSP | CEH

 

From: Joel Esler [mailto:joel.esler at ...14399...] 
Sent: Wednesday, April 07, 2010 7:45 AM
To: Alan Ptak
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Help to run snort on linux machine

 

I agree, metaspolit is the best way to test snort, however, let's be clear that metaspolit is not an IDS testing tool. It's an exploitation and vulnerability testing tool. 

--

Sent from my iPad


On Apr 7, 2010, at 2:58 AM, Alan Ptak <alan.ptak at ...11827...> wrote:

	Metasploit ftw!

	 

	Nessus and nmap will also generate a good number of snort alerts with a typical set of rules.

	 

	Choose your targets carefully :-)

	2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>

	sri harsha wrote:
	> Thanks for the quick response.
	>
	> Does anybody know any tool which generates attack packets which are
	> stateful in nature and I can use that tool to test snort? I mean it
	> establishes the TCP connection and then send attack packets?

	Check out the awesome metasploit framework :)
	
	http://www.metasploit.com/
	
	Be ware, this may exploit the targets if they are vulnerable!
	
	
	:)

	
	------------------------------------------------------------------------------
	Download Intel® Parallel Studio Eval
	Try the new software tools for yourself. Speed compiling, find bugs
	proactively, and fine-tune applications for parallel performance.
	See why Intel Parallel Studio got high marks during beta.
	http://p.sf.net/sfu/intel-sw-dev
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users

	
	
	
	-- 
	Alan Ptak
	alan.ptak at ...11827...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100407/71c71114/attachment.html>


More information about the Snort-users mailing list