[Snort-users] Test traffic

Jason Wallace jason.r.wallace at ...11827...
Tue Feb 19 22:05:06 EST 2013


None of these things actually "test" the accuracy and effectiveness of
your IPS. All they do is tell you that snort generated a bunch of
alerts. This is no more useful then turning on SID:408 and SID:384 and
pinging your box. Replaying pcaps from some other network and getting
alerts only tells you that if your network is exactly like the network
the pcap was captured from then you might get an alert. Pointing a
port scanner at your box isn't any better. Pointing a vulnerability
scanner at your box is misleading if you are not doing a controlled
test and do not understand the tests being performed. If you turn on
150 vulnerability tests, then you had better get 150 alerts. Many if
not most vulnerability scanners don't actually use exploits or "bad"
traffic. They login and check the versions of programs and libraries
to see if their versions are below a certain level. These types of
tests do nothing to actually test your IPS. None of these things tell
you if your de-fragmentation/stream/decoding/http_inspect/DCE/etc
policy is set correctly for each host being protected. Replaying pcaps
and pointing some type of scanner at a host just tells you that, under
the right conditions, snort (or any other IPS) will make a lot of
noise.

Using exploit tools like Armitage/metasploit is a much better option,
but just flinging a "Hail Mary" at it is only useful if you know
exactly what was attempted and compare those attempts to your alerts.
You also need to do this on a like system. Pointing Armitage at a
OWASP BWA virtual machines doesn't tell you that snort will alert when
your BWA currently running in production is attacked. If you really
want to know if sid:aaaaa will protect your box from CVE-yyyy-xxxx
then my recommendation is to snapshot/clone the VM and use actual
exploit/pen-testing tools (not a vulnerability scanner) on the actual
box/clone. If it isn't a VM, backup the system, and test it in a
change window. This is the only way to really know if you are
providing coverage for a given set of vulnerabilities.




On Tue, Feb 19, 2013 at 8:26 PM, Tony Robinson
<deusexmachina667 at ...11827...> wrote:
> Sorry, meant to reply-all on this.
>
> On Tue, Feb 19, 2013 at 8:26 PM, Tony Robinson <deusexmachina667 at ...13704......>
> wrote:
>>
>> What I usually do for snort installs I'm testing via autosnort is throw an
>> Armitage "Hail Mary" against a set of vulnerable machines. Vulnerable
>> virtual machines are a dime a dozen. http://vulnhub.com/ has a list of
>> vulnerable virtual machines, but for my testing, I have metasploitable 2 and
>> OWASP BWA virtual machines. I place a virtual machine running snort in the
>> same virtual network, and a backtrack VM on the same virtual network/vswitch
>> and just throw Armitage's "Hail Mary" with exploit ranking set to "low".
>> Snort will pick up a lot of things, as there is some truly nasty traffic
>> going across the wire.
>>
>>
>> On Tue, Feb 19, 2013 at 1:51 PM, Heine Lysemose <lysemose at ...11827...>
>> wrote:
>>>
>>> Hi
>>>
>>> Here's a list of PCAPs you can replay on your snort monitoring interface.
>>>
>>> https://code.google.com/p/security-onion/wiki/Pcaps
>>>
>>> /Lysemose
>>>
>>> On Feb 19, 2013 6:44 PM, "Josh Bitto" <jbitto at ...16055...> wrote:
>>>>
>>>> I had really good results with this….
>>>>
>>>>
>>>>
>>>> http://www.radmin.com/download/previousversions/portscanner.php
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> From: Yonas Abebe [mailto:jonasabebe at ...11827...]
>>>> Sent: Tuesday, February 19, 2013 9:39 AM
>>>> To: snort-users at lists.sourceforge.net
>>>> Subject: [Snort-users] Test traffic
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>> I tested Snort with ICMP packets and nmap scans and it works. But I want
>>>> to test it more.Is there some way that I can find some traffic containing
>>>> malicious codes that Snort can detect or block?
>>>>
>>>>
>>>>
>>>> Thanks for the help!
>>>>
>>>>
>>>>
>>>> -jonas
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Everyone hates slow websites. So do we.
>>>> Make your web apps faster with AppDynamics
>>>> Download AppDynamics Lite for free today:
>>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>>> _______________________________________________
>>>> Snort-users mailing list
>>>> Snort-users at lists.sourceforge.net
>>>> Go to this URL to change user options or unsubscribe:
>>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>>> Snort-users list archive:
>>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>>
>>>> Please visit http://blog.snort.org to stay current on all the latest
>>>> Snort news!
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Everyone hates slow websites. So do we.
>>> Make your web apps faster with AppDynamics
>>> Download AppDynamics Lite for free today:
>>> http://p.sf.net/sfu/appdyn_d2d_feb
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>
>>
>>
>>
>> --
>> when does reality end? when does fantasy begin?
>
>
>
>
> --
> when does reality end? when does fantasy begin?
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list