|
IDS
mailing list archives
Re: SNORT Testing
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Thu, 2 Mar 2006 09:51:31 +0100
Hi,
On Tue, Feb 28, 2006 at 01:37:49PM -0500, Richard Bejtlich wrote:
On 2/27/06, Byron Sonne <blsonne () rogers com> wrote:
The tools that come to mind for me are 'stick' and 'snot':
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0096.html
Hello,
Stick, Snot, and all other stateless tools are a waste of time, and
have been since mid-2001.
why?
1. You can still test if stream4 (established) TCP works.
2. You can disable stream4 and see how snort behaves on a high
alert rate. The subject was testing snort. This way you can
not test stream4 but what about output plugins? FPG was build
especially on this focus. How will you know if your output
plugin does work with a high alert rate if you do not test
it?
3. What is with UDP, ICMP or IP? Attacks on these fields are
still possible without an "established" state (whatever this
might be with these protocols).
So I won't say these toolls are a waste of time, it depends
highly on what you like to test.
Best regards
Dirk Geschke
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
