How can the operator test Snort?
The easiest way to ensure Snort
is actually seeing any traffic is to create a simple rule and see if Snort generates an alert. If
you wish to run a tool like IDSWakeup
, it will indeed generate some alerts. A simple Nmap
scan will most likely generate some alerts as well. Setting up a target system and running an
actual malicious attack, such as exploitation via Metasploit
is a means to test
via server-side attack. More elaborate client-side attacks can also be devised to test
Snort's ability to detect that attack pattern.
The bottom line is to figure out the goal of your Snort test, and then devise the simplest way
to accomplish that goal. It's always best to begin by running Snort with a very basic rule. If you
can't get Snort to fire on the most basic activity, then a serious problem exists.
I recommend reading my article "How to
test Snort" for more details.
This was first published in January 2008