Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Help With Assignment

From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 20 Feb 2013 20:33:24 -0500
On 2/15/2013 11:18, Jeremy Golden wrote:

Hello: I am new to Snort and I have a question. I was given the assignment to
install snort and get it up and running on my machine. I have done so, but I now
need to launch some covert attacks on my system, analyze the data received form
the IDS, develop a rule for a particular attack, and demonstrate that it works;
and write up a report.


one problem is that snort will not report anything without a rule for the 
traffic... sounds like you need to also be using something like tcpdump to 
capture the traffic when you send it and then build your rule(s) from that 
information...


Can anyone help me with what covert attacks to launch?


that depends on what you are needing or wanting to look for... some things might 
be reported as an "attack" when they are not... this coming from the msg:"blah" 
content of the rules... this is one reason why the rules' msg text needs to be 
as concise and pure as possible... for example, a user downloading a jpg while 
visiting a web site is not an attack but you may have rules that announce it to 
be such simply because their msg text is not correct...


And what kind of rules I would need to develop?


again, this depends on what, exactly, you are going to be looking for... there 
are existing pcaps (packet captures) available that you can test with... you can 
either feed them directly to snort via a command line option or you can actually 
send them across your network with tools like pktreplay or some such... i know 
there is at least one tool for doing this but i don't recall the name... that 
one is made up for this example and discussion...

remember, uncle google is your friend ;)

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: