[Snort-users] how to test snort rules?

Matt Olney molney at ...1935...
Tue Feb 8 15:05:56 EST 2011


Sort of a fox-hen house issue there, but it should at least test some parts
of it.  Sort of hard problem, you'll have to mimic DCE/RPC, web traffic,
etc...to trigger flowbits and prime the dcerpc preprocessor.

I might try to put together some pcaps that test the major functionality of
Snort so you can check your configs.

/me adds to my extensive todo list

Matt

On Tue, Feb 8, 2011 at 12:12 PM, Fraser, Hugh <hugh.fraser at ...15146...
> wrote:

>  There's also a project, still in development, called Rule2Alert that
> imports snort rules and uses Scapy to generate the corresponding traffic to
> trigger the rules. It's at www.malforge.com.
>
>  ------------------------------
> *From:* Matt Olney [mailto:molney at ...1935...]
> *Sent:* Tuesday, February 08, 2011 10:54 AM
> *To:* Kevin Ross
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] how to test snort rules?
>
> For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should
> fire sid:7209:
>
>  kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
> Alerts (2.9.0, ms06_04.pcap)
> 1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize
> overflow attempt     Alerts: 2
>
>
> On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...>wrote:
>
>> You could also look at openpacket.org and set snort to read the packet in
>> (make sure you haven't set your $HOME_NET variable and to test it so it will
>> fire on any IP though in practice you should have your $HOME_NET set and
>> then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I
>> would also advise using the emergingthreats snort rules (google them) for
>> some free rules which cover a lot of malware, command and control, known
>> hostile IP address, exploits, scanners and so on. You could also look on
>> sites like exploit-db.com for vulnerabilities which are covered to test
>> them from another system.
>>
>> Regards, Kevin
>>
>>   On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
>>
>>>  Dear members
>>>   I am new in snort and I installed it on my Fedora 12 system. SNORT is
>>> running properly and I am using BASE to view snort alerts. I want to know
>>> how to test snort rules , I want to test my running snort before deploying
>>> it.
>>> Is there any software which would do this?
>>>
>>> Thanks
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110208/cb37dcea/attachment.html>


More information about the Snort-users mailing list