Snort mailing list archives

Re: Testing Snort


From: Josh Bitto <jbitto () onlineschool ca>
Date: Wed, 30 Jan 2013 12:44:05 -0800

Ok I see what you're saying....I have a couple of more questions.

1. The rules update....I obtained the oinkmaster code and put it in. It has the option to update at certain time every 
12 hours for example.....Does it automatically do that or do I have to buy a subscription for that to actually work? I 
know the definitions will be 30 days old for just a regular registered user, but still.

2. Back to the rules search....ok I searched a couple of SID numbers and it came back as "this rule as been deprecated 
and placed into deleted.rules"
Should I suppress that or is my definitions outdated?




-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com] 
Sent: Wednesday, January 30, 2013 12:10 PM
To: Josh Bitto
Cc: Justin Knox; Snort Users
Subject: Re: [Snort-users] Testing Snort

So if you have snort set to output to syslog or alert_fast you can see which rules fired in a plain text file. Then you 
can look up the rules in the snort.rules file (or the *.rules, if you don't combine them with Pulled Pork) and you can 
see why a rule fired; what it was looking for, the CVE, etc.

But there's no real wiki or DB of this rule fires because of that..
the info for each rule is normally in the rule itself.


On Wed, Jan 30, 2013 at 8:07 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
Is there a wiki or a Descriptions database that goes into more detail 
on rules when they fire?



From: Justin Knox [mailto:jknox () indexzero org]
Sent: Wednesday, January 30, 2013 11:22 AM
To: Jeremy Hoel
Cc: Josh Bitto; Snort Users


Subject: Re: [Snort-users] Testing Snort



Another possibility would be to use tcpreplay[1] and some captures 
from some of the known repositories [2,3]. If you're trying to prove 
out snort inline in this manner, you might need to spend some time 
making sure you've got your lab bench laid out as needed so you can do this though.



If you can, you might want to also try snagging a capture of the 
traffic you're looking to monitor and/or control and use tcpreplay on 
your bench to prove out background noise, and maybe even look into 
tuning your ruleset prior to deployment.



[1] http://tcpreplay.synfin.net/

[2] https://www.evilfingers.com/repository/pcaps.php

[3] http://pcapr.net/home



On Wed, Jan 30, 2013 at 12:44 PM, Jeremy Hoel <jthoel () gmail com> wrote:

Then you best bet is to through a scan or known bad traffic at a 
target.. so it cross the wire and you can see it as expected.  There's 
lots of different tools to do that.

Or, write a custom rule looking for a payload and use hping to send 
that payload.  Then you've verified that your local rules are working 
and that it sees traffic on the wire from one host to another.


On Wed, Jan 30, 2013 at 5:28 PM, Josh Bitto <jbitto () onlineschool ca> wrote:
Well I have snort running on a test lab to see how well it actually runs.
I figured out my problem that I had in pfsense. I had to bridge my 
WAN and LAN together for snort to actually start. That being said I 
can see alerts and that all works. Now my real work is to be started 
and test to make sure that snort runs ok with our network. So I want 
to similate bad traffic so I can so my boss and say hey this works let's use it...



-----Original Message-----
From: Jeremy Hoel [mailto:jthoel () gmail com]
Sent: Wednesday, January 30, 2013 9:25 AM
To: Josh Bitto
Cc: Snort Users
Subject: Re: [Snort-users] Testing Snort

If you want to see if it alerts on packets in general, you can load 
PCAPs from a number of sources and read them through to see if the 
rules fire.  If you want to see that it's seeing network traffic and 
alerting, you can make a local rule for something and then send that traffic and see if that fires.

Otherwise, what are you trying to test?

On Wed, Jan 30, 2013 at 5:17 PM, Josh Bitto <jbitto () onlineschool ca>
wrote:
Does anyone know of a good tool to use to test my IPS? I know of 
Metasploit...but I'm not sure if there is something that is better 
or something broader in spectrum to test.






--------------------------------------------------------------------
--
-------- Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite 
for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!


---------------------------------------------------------------------
--------- Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite 
for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!

----------------------------------------------------------------------
-------- Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics Download AppDynamics Lite 
for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest 
Snort news!



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_jan
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Current thread: