Re: Snort signature packet generator: Thanks

From: Richard Bejtlich (taosecurity_at_gmail.com)
Date: 11/10/04

  • Next message: Stefano Zanero: "Re: Snort signature packet generator"
    Date: Wed, 10 Nov 2004 12:27:58 -0500
    To: focus-ids@securityfocus.com
    
    

    Graeme Connell wrote:
    >
    > To all who sent me links to programs generating packets from snort
    > signatures: Thanks a bunch. I've got more than enough programs to start
    > myself off with now.

    I think Marty was too polite in his defense of Snort's features.
    Snort's TCP inspection capabilities have been immune to "testing" with
    Snot, Stick, Sneeze, and now Mucus since the implementation of stream4
    three years ago. I would not waste time using stateless tools like
    these to generate TCP traffic of any sort.

    This topic seems to surface every 6 months or less, with often the
    same suspect programs mentioned. [0] I would like to see Marty get
    credit for work he did in mid-2001 -- forget these stateless tools.

    Besides using Nessus or replaying captured traffic, I recommend
    generating real exploit traffic against live lab targets using
    something like the Metasploit Framework. [1] As far as open source
    goes, you can't beat the Metasploit collection of quality exploits in
    a user-friendly package.

    Richard
    http://www.taosecurity.com

    [0] http://www.mcabee.org/lists/snort-users/Jun-04/msg00167.html
    [1] http://www.metasploit.com/

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Stefano Zanero: "Re: Snort signature packet generator"