Snort mailing list archives
Re: false positive generator
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 11 Feb 2004 10:27:18 +0100
Hi all,
I am currently using snort-2.1.1-RC1 and am trying to use sneeze to generate some false positves. However, it does not seem to work at all (as mentioned previously). Does anyone know if there's another false positive generator out ther?Have you tried disabling stream4? I don't know how sneeze works but if it doesn't build legit TCP sessions I don't think Snort will bother with it. Can anyone confirm this?
yes of course. It would be difficult (but not impossible) to build a false positive generator which is able to create established connections. The big question is: Would it be useful or would it lead to DoS attacks against snort sensors? Ok, you must have either two machines on the monitored network or direct access to the snort sensor to fake responses. One other false-positive-generator is the program "fpg" as part of FLoP (http://www.geschke-online.de/FLoP). This generator understands some more snort keywords and works much faster. (Indeed you can create drop rates with it.) But to use it you have either to remove the "established" keywords from the rule or disable the stream4 preprocessor. Best regards Dirk ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Need help with Sneeze Peggy Kam (Feb 09)
- Re: Need help with Sneeze ravivsn (Feb 09)
- false positive generator Peggy Kam (Feb 10)
- Re: false positive generator twig les (Feb 10)
- Re: false positive generator Dirk Geschke (Feb 11)
- Re: false positive generator Matt Kettler (Feb 10)
- Re: false positive generator Ravi (Feb 10)
- Re: false positive generator Dirk Geschke (Feb 11)
- false positive generator Peggy Kam (Feb 10)
- Re: Need help with Sneeze ravivsn (Feb 09)