Home page logo

snort logo Snort mailing list archives

Re: Triggering a complex snort rule (packet forging)
From: waldo kitty <wkitty42 () windstream net>
Date: Tue, 02 Apr 2013 10:37:43 -0500

On 4/2/2013 08:11, lists () packetmail net wrote:
Welcome to the IDS fun :)  I'd just stand up a webserver you can control over
and craft the pages to send the payload you're attempting to match on.  This is
what I do and it's much easier than packet forging.  Also, consider too, this is
as close as you can get to real world examples of the content you're trying to
match on.  You're behaving exactly as a webserver should and you don't need to
worry about false negatives or false positives as a result of packet
forging/crafting on the wire.

+1 :)

Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire 
the most talented Cisco Certified professionals. Visit the 
Employer Resources Portal
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]