How can the operator test Snort?

There are various ways to test Snort's intrusion detection capabilities, including setting rules and running tools such as IDSWakeup.

The easiest way to ensure Snort is actually seeing any traffic is to create a simple rule and see if Snort generates an alert. If you wish to run a tool like IDSWakeup, it will indeed generate some alerts. A simple Nmap scan will most likely generate some alerts as well. Setting up a target system and running an actual malicious attack, such as exploitation via Metasploit, is a means to test Snort via server-side attack. More elaborate...

client-side attacks can also be devised to test Snort's ability to detect that attack pattern.

The bottom line is to figure out the goal of your Snort test, and then devise the simplest way to accomplish that goal. It's always best to begin by running Snort with a very basic rule. If you can't get Snort to fire on the most basic activity, then a serious problem exists.

I recommend reading my article "How to test Snort" for more details.

This was first published in January 2008
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close