[Snort-users] Help to run snort on linux machine

Adam Richards adam.richards at ...14685...
Wed Apr 7 09:08:30 EDT 2010

On the attacking host create a packet by first putting the desired payload into a text file. 

vi payload.txt


Then create the packet with the following properties and send it to (or whatever your host is): 
set PUSH tcp flag, interface eth0, source port 2424 destination port 81, packet body size 26 and packet data from file payload.txt 

hping3 -P -i eth0 -s 3434 -p 81 -d 26 -E ./payload.txt (or whatever another host on your network is)

On the SNORT host "tail -f /var/log/snorttest/alert" shows that SNORT has been alerted through rule 1394 (sid) which is exactly the one we wanted to test:


Adam Richards,CISSP | CEH


From: Joel Esler [mailto:joel.esler at ...14399...] 
Sent: Wednesday, April 07, 2010 7:45 AM
To: Alan Ptak
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Help to run snort on linux machine


I agree, metaspolit is the best way to test snort, however, let's be clear that metaspolit is not an IDS testing tool. It's an exploitation and vulnerability testing tool. 


Sent from my iPad

On Apr 7, 2010, at 2:58 AM, Alan Ptak <alan.ptak at ...11827...> wrote:

	Metasploit ftw!


	Nessus and nmap will also generate a good number of snort alerts with a typical set of rules.


	Choose your targets carefully :-)

	2010/4/6 Edward Bjarte Fjellskål <edward.fjellskal at ...14590...>

	sri harsha wrote:
	> Thanks for the quick response.
	> Does anybody know any tool which generates attack packets which are
	> stateful in nature and I can use that tool to test snort? I mean it
	> establishes the TCP connection and then send attack packets?

	Check out the awesome metasploit framework :)
	Be ware, this may exploit the targets if they are vulnerable!

	Download Intel® Parallel Studio Eval
	Try the new software tools for yourself. Speed compiling, find bugs
	proactively, and fine-tune applications for parallel performance.
	See why Intel Parallel Studio got high marks during beta.
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	Snort-users list archive:

	Alan Ptak
	alan.ptak at ...11827...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100407/71c71114/attachment.html>

More information about the Snort-users mailing list