[Snort-users] how to test snort rules?
wkitty42 at ...14940...
Wed Feb 9 22:30:57 EST 2011
On 2/8/2011 12:12, Fraser, Hugh wrote:
> There's also a project, still in development, called Rule2Alert that imports
> snort rules and uses Scapy to generate the corresponding traffic to trigger the
> rules. It's at www.malforge.com <http://www.malforge.com>.
i've used rule2alert and it does do exactly what it says it does... however,
what it does not do, at least at the time of my testing, is to create a pcap
that is "larger" than the rule's requirements for testing...
in other words, it creates exactly what the rule is looking for and nothing
more... in my case, i needed additional pcaps that carried traffic "larger" than
the specifics but that still contained the specifics... if that makes any sense
More information about the Snort-users