Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Testing techniques

From: twig les <twigles () yahoo com>
Date: Thu, 28 Nov 2002 10:58:33 -0800 (PST)


1. Is there a testing suite for snort?  


No.  The easiest way is to use Nessus or some other
vuln scanner and/or write a trigger rule.


In the anti-virus (AV) world, there is a "sample
virus" called eicar that you
can send through your AV system to see if it works. 
Is there something
similar for the snort world?


Yes.  Writing your own trigger rule.  Sending the
eicar virus test thru your AVS only means that the
daemon is working and that if any malicious
eicar-sender hits your box you will be safe.  Same
thing as Snort, but the AVS just typically comes in a
colorful box with a grey-haired guy on the cover.


2. What are good techniques for fine-tuning the
rules and what programs
do you use?


After you know your network and build a careful
snort.conf and ruleset, you have to use trial and
error to eliminate the false positives.  It sucks yes
but IDSs are admittedly very man-hour intensive.



The only thing I can think of is to install the
snort box in NIDS mode
looking for alerts *and* install another box to log
every packet (I
gather from docs that I can't have one instance of
snort do both,
right?).  Then come back a few days later and slog
through the log files
looking for problems.

I assume there is a better way, yes?


You are free to run two instances of Snort on the same
box.  In fact some ppl do that for other reasons. 
Just make it a beefy box.

=====
-----------------------------------------------------------
If you give a man a fish, he can eat for a day
If you bludgeon him to death, you can eat the fish yourself                       
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: