Snort mailing list archives
Re: Help With Assignment
From: waldo kitty <wkitty42 () windstream net>
Date: Wed, 20 Feb 2013 20:33:24 -0500
On 2/15/2013 11:18, Jeremy Golden wrote:
Hello: I am new to Snort and I have a question. I was given the assignment to install snort and get it up and running on my machine. I have done so, but I now need to launch some covert attacks on my system, analyze the data received form the IDS, develop a rule for a particular attack, and demonstrate that it works; and write up a report.
one problem is that snort will not report anything without a rule for the traffic... sounds like you need to also be using something like tcpdump to capture the traffic when you send it and then build your rule(s) from that information...
Can anyone help me with what covert attacks to launch?
that depends on what you are needing or wanting to look for... some things might be reported as an "attack" when they are not... this coming from the msg:"blah" content of the rules... this is one reason why the rules' msg text needs to be as concise and pure as possible... for example, a user downloading a jpg while visiting a web site is not an attack but you may have rules that announce it to be such simply because their msg text is not correct...
And what kind of rules I would need to develop?
again, this depends on what, exactly, you are going to be looking for... there are existing pcaps (packet captures) available that you can test with... you can either feed them directly to snort via a command line option or you can actually send them across your network with tools like pktreplay or some such... i know there is at least one tool for doing this but i don't recall the name... that one is made up for this example and discussion... remember, uncle google is your friend ;) ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Help With Assignment Jeremy Golden (Feb 20)
- Re: Help With Assignment waldo kitty (Feb 20)