[Snort-users] Testing Snort

Russ Combs rcombs at ...1935...
Wed Jan 30 14:41:36 EST 2013


You can also do inline pcap testing using the dump DAQ:

    snort --daq dump --daq-var load-mode=read-file -Q <other options>

This will create a file called inline-out.pcap that has the packets that
Snort allowed or injected.  Any normalizations are also visible there.

On Wed, Jan 30, 2013 at 2:21 PM, Justin Knox <jknox at ...16001...> wrote:

> Another possibility would be to use tcpreplay[1] and some captures from
> some of the known repositories [2,3]. If you're trying to prove out snort
> inline in this manner, you might need to spend some time making sure you've
> got your lab bench laid out as needed so you can do this though.
>
> If you can, you might want to also try snagging a capture of the traffic
> you're looking to monitor and/or control and use tcpreplay on your bench to
> prove out background noise, and maybe even look into tuning your ruleset
> prior to deployment.
>
> [1] http://tcpreplay.synfin.net/
> [2] https://www.evilfingers.com/repository/pcaps.php
> [3] http://pcapr.net/home
>
>
> On Wed, Jan 30, 2013 at 12:44 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>
>> Then you best bet is to through a scan or known bad traffic at a
>> target.. so it cross the wire and you can see it as expected.  There's
>> lots of different tools to do that.
>>
>> Or, write a custom rule looking for a payload and use hping to send
>> that payload.  Then you've verified that your local rules are working
>> and that it sees traffic on the wire from one host to another.
>>
>> On Wed, Jan 30, 2013 at 5:28 PM, Josh Bitto <jbitto at ...16055...>
>> wrote:
>> > Well I have snort running on a test lab to see how well it actually
>> runs. I figured out my problem that I had in pfsense. I had to bridge my
>> WAN and LAN together for snort to actually start. That being said I can see
>> alerts and that all works. Now my real work is to be started and test to
>> make sure that snort runs ok with our network. So I want to similate bad
>> traffic so I can so my boss and say hey this works let's use it...
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Jeremy Hoel [mailto:jthoel at ...11827...]
>> > Sent: Wednesday, January 30, 2013 9:25 AM
>> > To: Josh Bitto
>> > Cc: Snort Users
>> > Subject: Re: [Snort-users] Testing Snort
>> >
>> > If you want to see if it alerts on packets in general, you can load
>> PCAPs from a number of sources and read them through to see if the rules
>> fire.  If you want to see that it's seeing network traffic and alerting,
>> you can make a local rule for something and then send that traffic and see
>> if that fires.
>> >
>> > Otherwise, what are you trying to test?
>> >
>> > On Wed, Jan 30, 2013 at 5:17 PM, Josh Bitto <jbitto at ...16055...>
>> wrote:
>> >> Does anyone know of a good tool to use to test my IPS? I know of
>> >> Metasploit...but I'm not sure if there is something that is better or
>> >> something broader in spectrum to test.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ----------------------------------------------------------------------
>> >> -------- Everyone hates slow websites. So do we.
>> >> Make your web apps faster with AppDynamics Download AppDynamics Lite
>> >> for free today:
>> >> http://p.sf.net/sfu/appdyn_d2d_jan
>> >> _______________________________________________
>> >> Snort-users mailing list
>> >> Snort-users at lists.sourceforge.net
>> >> Go to this URL to change user options or unsubscribe:
>> >> https://lists.sourceforge.net/lists/listinfo/snort-users
>> >> Snort-users list archive:
>> >> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >>
>> >> Please visit http://blog.snort.org to stay current on all the latest
>> >> Snort news!
>> >
>> >
>> ------------------------------------------------------------------------------
>> > Everyone hates slow websites. So do we.
>> > Make your web apps faster with AppDynamics
>> > Download AppDynamics Lite for free today:
>> > http://p.sf.net/sfu/appdyn_d2d_jan
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> >
>> > Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>>
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_jan
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest
>> Snort news!
>>
>
>
>
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_jan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130130/7c63428c/attachment.html>


More information about the Snort-users mailing list