Get started Bring yourself up to speed with our introductory content.

How can the operator test Snort?

There are various ways to test Snort's intrusion detection capabilities, including setting rules and running tools such as IDSWakeup.

The easiest way to ensure Snort is actually seeing any traffic is to create a simple rule and see if Snort generates...

an alert. If you wish to run a tool like IDSWakeup, it will indeed generate some alerts. A simple Nmap scan will most likely generate some alerts as well. Setting up a target system and running an actual malicious attack, such as exploitation via Metasploit, is a means to test Snort via server-side attack. More elaborate client-side attacks can also be devised to test Snort's ability to detect that attack pattern.

The bottom line is to figure out the goal of your Snort test, and then devise the simplest way to accomplish that goal. It's always best to begin by running Snort with a very basic rule. If you can't get Snort to fire on the most basic activity, then a serious problem exists.

I recommend reading my article "How to test Snort" for more details.

This was last published in January 2008

Dig Deeper on Network security products, technologies, services

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.