[Snort-users] how to test snort rules?

waldo kitty wkitty42 at ...14940...
Wed Feb 9 22:30:57 EST 2011


On 2/8/2011 12:12, Fraser, Hugh wrote:
> There's also a project, still in development, called Rule2Alert that imports
> snort rules and uses Scapy to generate the corresponding traffic to trigger the
> rules. It's at www.malforge.com <http://www.malforge.com>.

i've used rule2alert and it does do exactly what it says it does... however, 
what it does not do, at least at the time of my testing, is to create a pcap 
that is "larger" than the rule's requirements for testing...

in other words, it creates exactly what the rule is looking for and nothing 
more... in my case, i needed additional pcaps that carried traffic "larger" than 
the specifics but that still contained the specifics... if that makes any sense 
at all...




More information about the Snort-users mailing list