Snort mailing list archives
Re: Testing techniques
From: twig les <twigles () yahoo com>
Date: Thu, 28 Nov 2002 10:58:33 -0800 (PST)
1. Is there a testing suite for snort?
No. The easiest way is to use Nessus or some other vuln scanner and/or write a trigger rule.
In the anti-virus (AV) world, there is a "sample virus" called eicar that you can send through your AV system to see if it works. Is there something similar for the snort world?
Yes. Writing your own trigger rule. Sending the eicar virus test thru your AVS only means that the daemon is working and that if any malicious eicar-sender hits your box you will be safe. Same thing as Snort, but the AVS just typically comes in a colorful box with a grey-haired guy on the cover.
2. What are good techniques for fine-tuning the rules and what programs do you use?
After you know your network and build a careful snort.conf and ruleset, you have to use trial and error to eliminate the false positives. It sucks yes but IDSs are admittedly very man-hour intensive.
The only thing I can think of is to install the snort box in NIDS mode looking for alerts *and* install another box to log every packet (I gather from docs that I can't have one instance of snort do both, right?). Then come back a few days later and slog through the log files looking for problems. I assume there is a better way, yes?
You are free to run two instances of Snort on the same box. In fact some ppl do that for other reasons. Just make it a beefy box. ===== ----------------------------------------------------------- If you give a man a fish, he can eat for a day If you bludgeon him to death, you can eat the fish yourself ----------------------------------------------------------- __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------- This SF.net email is sponsored by: Get the new Palm Tungsten T handheld. Power & Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Testing techniques Faber Fedor (Nov 28)
- Re: Testing techniques twig les (Nov 28)
- Re: Testing techniques Rafeeq Ur Rehman (Nov 28)
- <Possible follow-ups>
- RE: Testing techniques Fraser Hugh (Nov 28)