Re: Firewall Tester 0.6

From: Greg Shipley (
Date: 04/10/02

Date: Tue, 9 Apr 2002 20:09:10 -0500 (CDT)
From: Greg Shipley <>
To: Andrea Barisani <>

On Tue, 9 Apr 2002, Andrea Barisani wrote:

> * IDS testing option, manually or directly with snort rule files

Is this simply replaying SNORT rules back onto the wire? If so, I would
caution the reader/user as to the problems with this method of "IDS
testing." Using Snort sig files will test if an IDS will alert on, well,
snort sig files...not necessarily actual attacks.

As Robert Graham stated earlier:

"These signatures are not triggering on the attack, but some (hopefully
unique) fingerprint related to the attack."

Big differnce.

((Snort rule data) NOT EQUAL TO (actual attack data))

Please understand that I'm not trying to pick on your tool (I'm sure it's
quite useful!), I just think it's important to caution the community on
what these kinds of things can, and can not, do.