[Snort-users] how to test snort rules?

Matthew Jonkman jonkman at ...15020...
Wed Feb 9 13:17:38 EST 2011


It's not FP testing if that's what you're thinking. :)

It's for engine testing and load testing primarily. Testing keywords, preprocessors, reassembly, etc. Not the only tool, but a very useful one!

Matt

On Feb 9, 2011, at 1:15 PM, Matt Olney wrote:

> What do you use it for?  Its a completely invalid functional test, since you're mimicking the rule.  What is the purpose?
> 
> On Wed, Feb 9, 2011 at 1:11 PM, Matthew Jonkman <jonkman at ...15020...> wrote:
> I highly recommend Rule2Alert. Famousjs maintains that, a former ET and OISF employee. Great project! We use it heavily.
> 
> Matt
> 
> On Feb 8, 2011, at 12:12 PM, Fraser, Hugh wrote:
> 
>> There's also a project, still in development, called Rule2Alert that imports snort rules and uses Scapy to generate the corresponding traffic to trigger the rules. It's at www.malforge.com.
>> 
>> From: Matt Olney [mailto:molney at ...1935...] 
>> Sent: Tuesday, February 08, 2011 10:54 AM
>> To: Kevin Ross
>> Cc: snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] how to test snort rules?
>> 
>> For example, https://www.openpacket.org/capture/grab/40 (ms06-040) should fire sid:7209:
>> 
>> kpyke at ...15155...:~/mal_pack$ stest -Kqn ms06_04.pcap
>> Alerts (2.9.0, ms06_04.pcap)
>> 1:7209:10       NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrPathCanonicalize overflow attempt     Alerts: 2
>> 
>> 
>> On Tue, Feb 8, 2011 at 7:38 AM, Kevin Ross <kevross33 at ...14012...> wrote:
>> You could also look at openpacket.org and set snort to read the packet in (make sure you haven't set your $HOME_NET variable and to test it so it will fire on any IP though in practice you should have your $HOME_NET set and then EXTERNAL_NET !HOME_NET so it considers everything else non-internal). I would also advise using the emergingthreats snort rules (google them) for some free rules which cover a lot of malware, command and control, known hostile IP address, exploits, scanners and so on. You could also look on sites like exploit-db.com for vulnerabilities which are covered to test them from another system.
>> 
>> Regards, Kevin 
>> 
>> On 8 February 2011 09:29, anvin igcar <avigcar at ...11827...> wrote:
>> Dear members
>>   I am new in snort and I installed it on my Fedora 12 system. SNORT is running properly and I am using BASE to view snort alerts. I want to know how to test snort rules , I want to test my running snort before deploying it. 
>> Is there any software which would do this?
>> 
>> Thanks
>> 
>> 
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> 
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> 
>> ------------------------------------------------------------------------------
>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
>> Pinpoint memory and threading errors before they happen.
>> Find and fix more than 250 security defects in the development cycle.
>> Locate bottlenecks in serial and parallel code that limit performance.
>> http://p.sf.net/sfu/intel-dev2devfeb_______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> PGP: http://www.jonkmans.com/mattjonkman.asc
> 
> 
> 
> 


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110209/efa46bff/attachment.html>


More information about the Snort-users mailing list