[Snort-users] how to test snort rules?

Fraser, Hugh hugh.fraser at ...15146...
Tue Feb 8 12:12:56 EST 2011


There's also a project, still in development, called Rule2Alert that
imports snort rules and uses Scapy to generate the corresponding traffic
to trigger the rules. It's at www.malforge.com.

________________________________

From: Matt Olney [mailto:molney at ...1935...] 
Sent: Tuesday, February 08, 2011 10:54 AM
To: Kevin Ross
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] how to test snort rules?


For example, https://www.openpacket.org/capture/grab/40 (ms06-040)
should fire sid:7209: 

kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
Alerts (2.9.0, ms06_04.pcap)
1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize
overflow attempt     Alerts: 2


On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...>
wrote:


	You could also look at openpacket.org and set snort to read the
packet in (make sure you haven't set your $HOME_NET variable and to test
it so it will fire on any IP though in practice you should have your
$HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything
else non-internal). I would also advise using the emergingthreats snort
rules (google them) for some free rules which cover a lot of malware,
command and control, known hostile IP address, exploits, scanners and so
on. You could also look on sites like exploit-db.com for vulnerabilities
which are covered to test them from another system.
	
	Regards, Kevin 
	
	
	On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
	

		Dear members
		  I am new in snort and I installed it on my Fedora 12
system. SNORT is running properly and I am using BASE to view snort
alerts. I want to know how to test snort rules , I want to test my
running snort before deploying it. 
		Is there any software which would do this?
		
		Thanks
		
		
		
	
------------------------------------------------------------------------
------
		The ultimate all-in-one performance toolkit: Intel(R)
Parallel Studio XE:
		Pinpoint memory and threading errors before they happen.
		Find and fix more than 250 security defects in the
development cycle.
		Locate bottlenecks in serial and parallel code that
limit performance.
		http://p.sf.net/sfu/intel-dev2devfeb
		_______________________________________________
		Snort-users mailing list
		Snort-users at lists.sourceforge.net
		Go to this URL to change user options or unsubscribe:
		https://lists.sourceforge.net/lists/listinfo/snort-users
		Snort-users list archive:
		http://www.geocrawler.com/redir-sf.php3?list=snort-users
		



	
------------------------------------------------------------------------
------
	The ultimate all-in-one performance toolkit: Intel(R) Parallel
Studio XE:
	Pinpoint memory and threading errors before they happen.
	Find and fix more than 250 security defects in the development
cycle.
	Locate bottlenecks in serial and parallel code that limit
performance.
	http://p.sf.net/sfu/intel-dev2devfeb
	_______________________________________________
	Snort-users mailing list
	Snort-users at lists.sourceforge.net
	Go to this URL to change user options or unsubscribe:
	https://lists.sourceforge.net/lists/listinfo/snort-users
	Snort-users list archive:
	http://www.geocrawler.com/redir-sf.php3?list=snort-users
	


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110208/94501586/attachment.html>


More information about the Snort-users mailing list