Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SNORT Testing

from [Dirk Geschke] Network Security [Permanent Link]
Subject: Re: SNORT Testing
Date: Thu, 2 Mar 2006 09:51:31 +0100 
Hi,

On Tue, Feb 28, 2006 at 01:37:49PM -0500, Richard Bejtlich wrote:

On 2/27/06, Byron Sonne <blsonne@rogers.com> wrote:

The tools that come to mind for me are 'stick' and 'snot':
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0096.html



Hello,

Stick, Snot, and all other stateless tools are a waste of time, and
have been since mid-2001.


why?

1. You can still test if stream4 (established) TCP works.
2. You can disable stream4 and see how snort behaves on a high
   alert rate. The subject was testing snort. This way you can 
   not test stream4 but what about output plugins? FPG was build
   especially on this focus. How will you know if your output
   plugin does work with a high alert rate if you do not test
   it?
3. What is with UDP, ICMP or IP? Attacks on these fields are
   still possible without an "established" state (whatever this
   might be with these protocols).

So I won't say these toolls are a waste of time, it depends
highly on what you like to test.

Best regards

Dirk Geschke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS Analyst skill set, Eric Grejda
Next by Date:  RE: Testing IDS with tcpreplay, Vik Phatak
Previous by Thread:  Re: SNORT Testing, Richard Bejtlich
Next by Thread:  Re: SNORT Testing, Aaron Turner
Indexes:  [Date] [Thread] [Top] [All Lists]