[Snort-users] Help With Assignment

waldo kitty wkitty42 at ...14940...
Wed Feb 20 20:33:24 EST 2013


On 2/15/2013 11:18, Jeremy Golden wrote:
> Hello: I am new to Snort and I have a question. I was given the assignment to
> install snort and get it up and running on my machine. I have done so, but I now
> need to launch some covert attacks on my system, analyze the data received form
> the IDS, develop a rule for a particular attack, and demonstrate that it works;
> and write up a report.

one problem is that snort will not report anything without a rule for the 
traffic... sounds like you need to also be using something like tcpdump to 
capture the traffic when you send it and then build your rule(s) from that 
information...

> Can anyone help me with what covert attacks to launch?

that depends on what you are needing or wanting to look for... some things might 
be reported as an "attack" when they are not... this coming from the msg:"blah" 
content of the rules... this is one reason why the rules' msg text needs to be 
as concise and pure as possible... for example, a user downloading a jpg while 
visiting a web site is not an attack but you may have rules that announce it to 
be such simply because their msg text is not correct...

> And what kind of rules I would need to develop?

again, this depends on what, exactly, you are going to be looking for... there 
are existing pcaps (packet captures) available that you can test with... you can 
either feed them directly to snort via a command line option or you can actually 
send them across your network with tools like pktreplay or some such... i know 
there is at least one tool for doing this but i don't recall the name... that 
one is made up for this example and discussion...

remember, uncle google is your friend ;)




More information about the Snort-users mailing list