[Snort-users] Help With Assignment
wkitty42 at ...14940...
Wed Feb 20 20:33:24 EST 2013
On 2/15/2013 11:18, Jeremy Golden wrote:
> Hello: I am new to Snort and I have a question. I was given the assignment to
> install snort and get it up and running on my machine. I have done so, but I now
> need to launch some covert attacks on my system, analyze the data received form
> the IDS, develop a rule for a particular attack, and demonstrate that it works;
> and write up a report.
one problem is that snort will not report anything without a rule for the
traffic... sounds like you need to also be using something like tcpdump to
capture the traffic when you send it and then build your rule(s) from that
> Can anyone help me with what covert attacks to launch?
that depends on what you are needing or wanting to look for... some things might
be reported as an "attack" when they are not... this coming from the msg:"blah"
content of the rules... this is one reason why the rules' msg text needs to be
as concise and pure as possible... for example, a user downloading a jpg while
visiting a web site is not an attack but you may have rules that announce it to
be such simply because their msg text is not correct...
> And what kind of rules I would need to develop?
again, this depends on what, exactly, you are going to be looking for... there
are existing pcaps (packet captures) available that you can test with... you can
either feed them directly to snort via a command line option or you can actually
send them across your network with tools like pktreplay or some such... i know
there is at least one tool for doing this but i don't recall the name... that
one is made up for this example and discussion...
remember, uncle google is your friend ;)
More information about the Snort-users