Snort mailing list archives
Re: Testing Snort
From: dmuz <dmuz () slatibartfast angrypacket com>
Date: Thu, 31 May 2001 08:38:10 -0700
On Thu, May 31, 2001 at 09:01:17AM -0700, Rich Phelps said:
Good Morning,
mornin'
Im running black ice defender and snort 1.7 on my network. Black Ice has picked up several probes over the night but snort hasnt logged a thing. Im currently using the signatures from www.whitehats.com . Is there any way I can test snort out?
There are two questions here. First, why is BlackIce seeing things that snort is not. Second, how can you test snort. 1.) I'll assume that you have snort configured in a way that it can "see" the traffic in question. For example on a hub or spanned port of a switch. The answer is probably very simple, BlackIce is configured to alert for types of traffic that snort does not consider an attack. It has been my experience that BlackIce (and others) can be a little to sensitive. Snort is probably just being a little more discriminating After all, what good is an IDS if you get so many false alerts that you can not pick out the true ones? The bottom line is snort will log what you tell it to log via the rules. Not getting enough alerts? Add more rules... :) 2.) If you want to test snort. Start by scanning it. If you have access to a *nix system download nmap and port scan the machine running snort. Go over the http://packetstorm.securify.com/ and download some exploit code (how about jill.c or some other recent crack) and run that against your snort box. Ping it, prod it, poke it.. see what it does.. cheers, -- dmuz http://sec.angrypacket.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Testing Snort Rich Phelps (May 31)
- Re: Testing Snort dmuz (May 31)
- <Possible follow-ups>
- Re: Testing Snort william . c . gercken (May 31)
- testing snort Jeff Bigley (Jun 26)
- RE: testing snort Johnson, David (Jun 27)