How can the operator test Snort?

The easiest way to ensure Snort is actually seeing any traffic is to create a simple rule and see if Snort generates an alert. If you wish to run a tool like IDSWakeup

    Requires Free Membership to View

, it will indeed generate some alerts. A simple Nmap scan will most likely generate some alerts as well. Setting up a target system and running an actual malicious attack, such as exploitation via Metasploit, is a means to test Snort via server-side attack. More elaborate client-side attacks can also be devised to test Snort's ability to detect that attack pattern.

The bottom line is to figure out the goal of your Snort test, and then devise the simplest way to accomplish that goal. It's always best to begin by running Snort with a very basic rule. If you can't get Snort to fire on the most basic activity, then a serious problem exists.

I recommend reading my article "How to test Snort" for more details.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: