[Snort-users] how to test snort rules?

Matthew Jonkman jonkman at ...15020...
Wed Feb 9 13:11:55 EST 2011


I highly recommend Rule2Alert. Famousjs maintains that, a former ET and OISF employee. Great project! We use it heavily.

Matt

On Feb 8, 2011, at 12:12 PM, Fraser, Hugh wrote:

> There's also a project, still in development, called Rule2Alert that imports snort rules and uses Scapy to generate the corresponding traffic to trigger the rules. It's at www.malforge.com.
> 
> From: Matt Olney [mailto:molney at ...1935...] 
> Sent: Tuesday, February 08, 2011 10:54 AM
> To: Kevin Ross
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] how to test snort rules?
> 
> For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should fire sid:7209:
> 
> kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
> Alerts (2.9.0, ms06_04.pcap)
> 1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt     Alerts: 2
> 
> 
> On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...> wrote:
> You could also look at openpacket.org and set snort to read the packet in (make sure you haven't set your $HOME_NET variable and to test it so it will fire on any IP though in practice you should have your $HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I would also advise using the emergingthreats snort rules (google them) for some free rules which cover a lot of malware, command and control, known hostile IP address, exploits, scanners and so on. You could also look on sites like exploit-db.com for vulnerabilities which are covered to test them from another system.
> 
> Regards, Kevin 
> 
> On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
> Dear members
>   I am new in snort and I installed it on my Fedora 12 system. SNORT is running properly and I am using BASE to view snort alerts. I want to know how to test snort rules , I want to test my running snort before deploying it. 
> Is there any software which would do this?
> 
> Thanks
> 
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110209/3f5f9019/attachment.html>


More information about the Snort-users mailing list