Testing Snort IDS installation

  • What is the easiest way to test Snort IDS after installing? Would using and writing a rule that captures all of the traffic work?

    alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )
    

    That is, using its own rules.

    One way that I know of for testing Snort is by using some programs such as Nmap, Metasploit, and something else, but how can it be done?

    ping the snort machine. snort thinks pings are DoS. then check the alert directory. on linux this is, /var/log/squid/ if you are on windows then i dont know...

  • Graham Hill

    Graham Hill Correct answer

    9 years ago

    There are two subtly different things you might want to test.

    1. Is Snort working in the sense that it's running, able to sniff trafic, testing it against the rules, and alerting you when one is triggered?
    2. Is Snort working in the sense that it's current rule set detects a specific intrusion of type X?

    To test case 1, you make a rule that's easy to fire, like your example, and fire it. To test case 2, you have to attempt an intrusion of type X and confirm that it is detected.

    You seem to be wanting to test case 1 (that the install has been done correctly) using the method in case 2, but you don't need to. Using a "fake" rule is a perfectly valid test that Snort is working in the first sense. And it's easier. Easy tests are good. You don't want to faff around with Metasploit when you're just checking that the alert emails go to the right person. Especially if you're not skilled in running intrusions - what if you do the intrusion wrong, and get a false test result? What if the intrusion attempt crashes the target (which is very likely on many types of intrusion.)

    You really only need to test case 2, that a specific rule works against a real intrusion attempt, if you don't trust your rule set (in which case - why are you using it?) or if you're developing new rules.

    I say "like your example" but your actual example is not a good test rule to set up. Something like "alert me if you see port 80 web traffic coming into this host" will be much easier to control. You want to be able to make the rule fire on command, so you can test, adjust settings, and test again. Something that's firing all the time will be too noisy.

    May i ask you give a detailed example?!!

    If you have a host at 192.168.1.1 then this rule will detect any attempt to ping it: *alert icmp any any -> 192.168.1.1 any (msg: "Someone Pinged DotOne";)*

    Yes i know this. I do that!! But my question is how to use those programs to test Snort's rules(default rules i mean)?

    To test a specific existing rule, you have to attempt the intrusion it protects against: but as I mention, you should not normally need to do that.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM