[Snort-users] how to test snort rules?

Matt Olney molney at ...1935...
Wed Feb 9 13:15:07 EST 2011


What do you use it for?  Its a completely invalid functional test, since
you're mimicking the rule.  What is the purpose?

On Wed, Feb 9, 2011 at 1:11 PM, Matthew Jonkman <
jonkman at ...15020...> wrote:

> I highly recommend Rule2Alert. Famousjs maintains that, a former ET and
> OISF employee. Great project! We use it heavily.
>
> Matt
>
> On Feb 8, 2011, at 12:12 PM, Fraser, Hugh wrote:
>
>  There's also a project, still in development, called Rule2Alert that
> imports snort rules and uses Scapy to generate the corresponding traffic to
> trigger the rules. It's at www.malforge.com.
>
>  ------------------------------
> *From:* Matt Olney [mailto:molney at ...1935...]
> *Sent:* Tuesday, February 08, 2011 10:54 AM
> *To:* Kevin Ross
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] how to test snort rules?
>
> For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should
> fire sid:7209:
>
>  kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
> Alerts (2.9.0, ms06_04.pcap)
> 1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize
> overflow attempt     Alerts: 2
>
>
> On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...>wrote:
>
>> You could also look at openpacket.org and set snort to read the packet in
>> (make sure you haven't set your $HOME_NET variable and to test it so it will
>> fire on any IP though in practice you should have your $HOME_NET set and
>> then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I
>> would also advise using the emergingthreats snort rules (google them) for
>> some free rules which cover a lot of malware, command and control, known
>> hostile IP address, exploits, scanners and so on. You could also look on
>> sites like exploit-db.com for vulnerabilities which are covered to test
>> them from another system.
>>
>> Regards, Kevin
>>
>>   On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
>>
>>>  Dear members
>>>   I am new in snort and I installed it on my Fedora 12 system. SNORT is
>>> running properly and I am using BASE to view snort alerts. I want to know
>>> how to test snort rules , I want to test my running snort before deploying
>>> it.
>>> Is there any software which would do this?
>>>
>>> Thanks
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>>> Pinpoint memory and threading errors before they happen.
>>> Find and fix more than 250 security defects in the development cycle.
>>> Locate bottlenecks in serial and parallel code that limit performance.
>>> http://p.sf.net/sfu/intel-dev2devfeb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> ------------------------------------------------------------------------------
> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> Pinpoint memory and threading errors before they happen.
> Find and fix more than 250 security defects in the development cycle.
> Locate bottlenecks in serial and parallel code that limit performance.
>
> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110209/29c1361f/attachment.html>


More information about the Snort-users mailing list