Re: [Snort-users] need some attacks to test snort
This is a discussion on Re: [Snort-users] need some attacks to test snort within the Snort forums, part of the System Security and Security Related category; Hi Fossil, There are several ways to test snort and to debug issues. If you are concerned that snort isn'...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
04-22-2007
|
|||
|
|||
Re: [Snort-users] need some attacks to test snort
Hi Fossil,
There are several ways to test snort and to debug issues. If you are concerned that snort isn't seeing the traffic you wish to detect, then you will want to tcpdump on the interface and initiate traffic between the hosts you want to monitor. There are a quite a few vulnerability scanners you can use to test a snort sensor. These softwares can be complicated and are a little overkill if you just want to ensure your snort sensor is firing properly. A great way to test snort's ability to fire a signature with out having to install a complicated vulnerability scanner is to use netcat and telnet. Using netcat to initiate a listening port on a remote host, say port 80. You can then telnet to the listener and feed it raw HTTP protocol. For example, once connected feed it: GET /etc/passwd HTTP/1.1<ENTER> <ENTER> Press enter instead of typing <ENTER>, but this will simulate a browser requestion the /etc/passwd file on a webserver. This should fire the /etc/passwd signature, confirming the sensor is operating correctly. Regards, Benjamin On Friday 20 April 2007 02:08, Patrick S. Harper wrote: > Nessus will do that, he just mentioned that if your curently reciving ICMP > alerts then you know Snort is runing. You also look might look at > metasploit. > > > -----Original Message----- > > From: snort-users-bounces@lists.sourceforge.net [mailto:snort-users- > > bounces@lists.sourceforge.net] On Behalf Of Fossil > > Sent: Friday, April 20, 2007 12:43 AM > > To: snort-users@lists.sourceforge.net > > Subject: Re: [Snort-users] need some attacks to test snort > > > > Thank you Joel > > Sure, I will try BASE. About the ICMP, ya thats true but i want to > > study more about how this rules get fired and how attacks are made, so > > i was looking for more attacks for my understanding and learning about > > the network security. so if you have more info regarding where i can > > download those codes i will more than helpful. > > best regards > > fossil > > > > > > > > Fossil, > > > > #1 -- Don't use ACID, use BASE. http://base.secureideas.net > > #2 -- You can use something like nessus to make Snort alert to make > > sure it's generating alerts, however, if you already receiving ICMP > > alerts, then you know it working properly. > > > > Joel > > > > +---------------------------------------------------------------------+ > > Joel Esler Security Consultant > > gpg key: http://demo.sourcefire.com/jesler.pgp.key > > +---------------------------------------------------------------------+ > > > > On Apr 19, 2007, at 9:43 PM, Fossil wrote: > > > Hello every one > > > i have installed snort and Acid > > > now i need some attacks - code by which i can check snort. i mean > > > some example code, script by running that on other machine, the > > > snort generates alert. > > > > > > is there a site where i can download some attacks for testing > > > purpose. i have the ICMP or ping based attacks but i want other > > > ones. is there a source where i can download that code > > > > > > any help will be appreciated > > > Thanks and regards > > > fossil > > > > ________________________________ > > > > Ahhh...imagining that irresistible "new car" smell? > > Check out new cars at Yahoo! Autos. > > <http://us.rd.yahoo.com/evt=48245/*ht.../new_cars.html > > ;_ylc=X3oDMTE1YW1jcXJ2BF9TAzk3MTA3MDc2BHNlYwNtYWls dGFncwRzbGsDbmV3LWNhc > > nM-> > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
