IDS mailing list archives
Re: SNORT Testing
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 2 Mar 2006 09:51:31 +0100
Hi, On Tue, Feb 28, 2006 at 01:37:49PM -0500, Richard Bejtlich wrote:
On 2/27/06, Byron Sonne <blsonne () rogers com> wrote:The tools that come to mind for me are 'stick' and 'snot': http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0096.htmlHello, Stick, Snot, and all other stateless tools are a waste of time, and have been since mid-2001.
why? 1. You can still test if stream4 (established) TCP works. 2. You can disable stream4 and see how snort behaves on a high alert rate. The subject was testing snort. This way you can not test stream4 but what about output plugins? FPG was build especially on this focus. How will you know if your output plugin does work with a high alert rate if you do not test it? 3. What is with UDP, ICMP or IP? Attacks on these fields are still possible without an "established" state (whatever this might be with these protocols). So I won't say these toolls are a waste of time, it depends highly on what you like to test. Best regards Dirk Geschke ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: SNORT Testing Martin Roesch (Mar 01)
- Re: SNORT Testing Eric Hines (Mar 03)
- <Possible follow-ups>
- Re: SNORT Testing Richard Bejtlich (Mar 01)
- Re: SNORT Testing Dirk Geschke (Mar 03)
- Re: SNORT Testing Aaron Turner (Mar 02)
- Re: SNORT Testing Byron Sonne (Mar 02)
- RE: SNORT Testing Terry Vernon (Mar 03)
- Re: SNORT Testing Stefano Zanero (Mar 09)
- RE: SNORT Testing Terry Vernon (Mar 03)