Re: Firewall Tester 0.6

From: Andrea Barisani (
Date: 04/10/02

Date: Wed, 10 Apr 2002 10:57:12 +0200
From: Andrea Barisani <>
To: Greg Shipley <>

On Tue, Apr 09, 2002 at 08:09:10PM -0500, Greg Shipley wrote:
> On Tue, 9 Apr 2002, Andrea Barisani wrote:
> > * IDS testing option, manually or directly with snort rule files
> Is this simply replaying SNORT rules back onto the wire? If so, I would
> caution the reader/user as to the problems with this method of "IDS
> testing." Using Snort sig files will test if an IDS will alert on, well,
> snort sig files...not necessarily actual attacks.
> As Robert Graham stated earlier:
> "These signatures are not triggering on the attack, but some (hopefully
> unique) fingerprint related to the attack."
> Big differnce.
> ((Snort rule data) NOT EQUAL TO (actual attack data))
> Please understand that I'm not trying to pick on your tool (I'm sure it's
> quite useful!), I just think it's important to caution the community on
> what these kinds of things can, and can not, do.
> Thanks,
> -Greg

You are right Greg.

Of course injecting a snort rule is far from an actual attack, these kind of
tool are not designed for that purpose. They are useful for testing IDS
performance, placement on the network and stateful inspection methods
They do not perform real traffic and their results should be accepted with
caution and proper level of confidence.

People that use these tools must be aware of that and I welcome to that,
however I think that this arguments are well known.


INFIS Network Administrator & Security Officer .*.
Department of Physics - University of Trieste /V\ - PGP Key 0x8E21FE82 (/ \)
---------------------------------------------------- ( )
"How would you know I'm mad?" said Alice. ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."