[Snort-users] how to test snort rules?

Matt Olney molney at ...1935...
Tue Feb 8 10:53:34 EST 2011


For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should
fire sid:7209:

kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
Alerts (2.9.0, ms06_04.pcap)
1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize
overflow attempt     Alerts: 2


On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...> wrote:

> You could also look at openpacket.org and set snort to read the packet in
> (make sure you haven't set your $HOME_NET variable and to test it so it will
> fire on any IP though in practice you should have your $HOME_NET set and
> then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I
> would also advise using the emergingthreats snort rules (google them) for
> some free rules which cover a lot of malware, command and control, known
> hostile IP address, exploits, scanners and so on. You could also look on
> sites like exploit-db.com for vulnerabilities which are covered to test
> them from another system.
>
> Regards, Kevin
>
> On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
>
>> Dear members
>>   I am new in snort and I installed it on my Fedora 12 system. SNORT is
>> running properly and I am using BASE to view snort alerts. I want to know
>> how to test snort rules , I want to test my running snort before deploying
>> it.
>> Is there any software which would do this?
>>
>> Thanks
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110208/958143df/attachment.html>


More information about the Snort-users mailing list