|
IDS
mailing list archives
Re: SNORT Testing
From: Eric Hines <eric.hines () appliedwatch com>
Date: Thu, 02 Mar 2006 10:01:34 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Byron,
Martin is right. You will want to pick up a "big iron" that does
multi-gig packet generation made by companies such as Xtramsus, Spirent,
and so on.. Although, the price point isn't for the faint of heart..
The tools you mentioned won't really even work with Snort since the
improvements Martin mentioned in its capabilities in maintaining state
- -- which was done quite some time ago in earlier versions of Snort. You
would need to disable the stream4 preprocessor for those tools to even
work since Snort will require a completed three-way handshake.
The reason Martin mentioned the packet generators is to shove gigs of
traffic through your Snort sensor while also popping some attacks
through it to test the accuracy of Snort and whether any attacks went
through undetected. You may also want to check out a tool called
IDSInformer. This tool relies on a dual-nic system which allows it to
complete the three-way handshake before launching the attack. Although,
it is commercial, but I believe they still offer a trial version.
Best Regards,
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
- ---------------------------------------------
Eric Hines, GCIA, CISSP
CEO, President
Applied Watch Technologies, LLC
1095 Pingree Road
Suite 213
Crystal Lake, IL 60014
Toll Free: (877) 262-7593 ext:327
Direct: (847) 854-2725 ext:327
Fax: (847) 854-5106
Web: http://www.appliedwatch.com
Email: eric.hines () appliedwatch com
- --------------------------------------------
"Enterprise Open Source Security Management"
Martin Roesch wrote:
Byron,
This may sound a bit snippy but it's not pointed at you, I'm just
frustrated with the tools that are out there. :)
Stick and Snot do *not* test Snort, they haven't tested Snort in any
meaningful way for years, and they only "tested" Snort in their
original form for a few months in 2001 while I made things more
stateful. If you really want to test Snort for performance you should
probably start thinking about investing a few hundred $k in some gear
from Spirent or maybe Ixia for load generation and then get metasploit
for attack generation. A properly configured Snort on a fast enough
platform will take gigabit switches and high end test equipment to
generate enough traffic to simulate anything that will tax it.
Without the load generation gear all you can do is functional testing
of Snort and for that you should probably be looking at metasploit/
fragrouter/scapy/etc for that sort of thing.
I don't know if FPG is capable of doing anything with rules that use
flowbits or relative offsets from previous detections, much less regex
rules. This includes the vast majority of rules that are developed for
Snort these days. Mucus is in the same boat, it was built for Snort
version ~1.8.3-6, it will be unsuitable for testing modern versions of
Snort if the latest release (from 2003) is any indication.
Stick/snot/sneeze/fpg/mucus are not suitable ways of testing Snort's
"throughput", let's all try to remember that from this point on, we've
been saying it for years. If you want to get a really accurate
measurement of how Snort performs, you should be putting it into an
operational environment where it's going to be deployed and tune it
suitably for that environment and then see what the numbers look like.
That's the absolute best way, doing repeatable network-based testing is
the next best way and after that you've got a variety of non-repeatable
or irrelevant testing setups that won't show you anything meaningful
because they're not repeatable nor are they well scoped.
What you want to achieve is repeatable functional testing of the engine
components at high bandwidth utilization/packet per second rates. The
repeatable high-bandwidth generation costs lots of money, the
functional testing tools are largely available for free, although there
are a few good commercial tools out there too.
-Marty
On Feb 27, 2006, at 5:54 PM, Byron Sonne wrote:
The tools that come to mind for me are 'stick' and 'snot':
http://archives.neohapsis.com/archives/fulldisclosure/ 2004-09/0096.html
---------------------------------------------------------------------- --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708 to learn more.
---------------------------------------------------------------------- --
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
- ------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
- ------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFEBxbdbOqF2QHgUK0RAq5AAKCmwQJfJlcu655HBH9a7hOU22du9wCeIikO
9B0QMgA88+CbVgRHpBtl3c8=
=E7vx
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
|
Intro
