RE: Snort signature packet generator

From: Eric Hines (eric.hines_at_appliedwatch.com)
Date: 11/08/04

  • Next message: Jeff Dell: "RE: Snort signature packet generator"
    To: "'Graeme Connell'" <gconnell@middlebury.edu>, <focus-ids@securityfocus.com>
    Date: Mon, 8 Nov 2004 10:15:35 -0600
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Graeme,

    Several exist.

    1) Snot
    2) Stick

    However, a pretty awesome tool that we've been using internally is
    IDS Informer from Blade Software (http://www.blade-software.com) This
    tool not only sends the attacks out on the wire but also completes a
    three-way handshake with the attack simulating a victim host to make
    Snort/any IDS think an actual attack is taking place. You can choose
    from hundreds if not more, attacks from its attack selector. They'll
    give you a 30-day trial if you want to sniff it out. It is definitely
    worth a look at!

    http://www.blade-software.com/IDSInformer.htm

    Regards,

    Eric Hines, GCIA, CISSP
    CEO, President
    Applied Watch Technologies, Inc.
    http://www.appliedwatch.com
    Direct: (877) 262-7593 x327
    1134 N. Main St.
    Algonquin, IL 60102

     

    - -----Original Message-----
    From: Graeme Connell [mailto:gconnell@middlebury.edu]
    Sent: Friday, November 05, 2004 11:29 AM
    To: focus-ids@securityfocus.com
    Subject: Snort signature packet generator

    I'm attempting to train a neural network using snort, and I'm having
    trouble getting a good number of "bad" packets, IE: those that snort
    considers malicious. Since a snort signature is really just a
    definition of a subset of all possible packets, it seems like it
    should be possible to create a packet that snort considers bad by
    filling in packet fields based on a snort signature, then filling the
    rest of the packet with random garbage. Does anyone know if this
    type of program has already been created, and if so, where could I
    find it? Thanks.

                    --Graeme Connell

    - ----------------------------------------------------------------------
    - ----
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks
    from CORE IMPACT.
    Go to
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    - ----------------------------------------------------------------------
    - ----

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQY+bpqG62zuWaFzQEQJcwACeJhLDgCoAfjUBFX5fKvQQ6pgex6cAoKwt
    60UxjfFZtsoDDuqUn32FSw14
    =PDRb
    -----END PGP SIGNATURE-----

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Jeff Dell: "RE: Snort signature packet generator"

    Relevant Pages

    • RE: Intrusion Prevention requirements document
      ... The tools consider one interface as "client" and other ... Packet 1 is first sent out on client interface. ... > my previous company was Blade Software where I developed IDS Informer ... Up to 75% of cyber attacks are launched on shopping carts, ...
      (Pen-Test)
    • RE: Snort signature packet generator
      ... Subject: Snort signature packet generator ... fpg is part of the Fast Logging Project for snort: ... Test Your IDS ...
      (Focus-IDS)
    • RE: Intrusion Prevention
      ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ...
      (Focus-IDS)
    • RE: Changes in IDS Companies?
      ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ...
      (Focus-IDS)
    • RE: Best Method(s) for signature verification.
      ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ...
      (Focus-IDS)