Testing Snort

[mudderfacar]

Hello

I am doing my final year in university on testing the effectiveness of snort for my project. I have successfully installed Snort with php,mysql and base on a Windows XP Pro machine and it all works fine.

I need a little bit of help in testing snort. Some ideas of how to possibly seeing if such and such a scan will be picked up or what happens when a trojan is in the network will it pick it up etc. would be nice.

At the moment all im relying on is people just generally browsing the network and internet and trying to make sense of the alerts that have been generated. Ideally id like to come up with ways that i could attempt to attack my network to test if snort will pick it up and thus if it does can I improve the rules or make new rules to make it more efficient.

Any help you guys can give would be great.

Thanks

 

[UK31337]

What network are you on, and what University are you at?

If you're connected through JANET, will this sort of thing work?

 

[Hackslayer]

hope this helps: Network Security Test
www.MicrosoftSecurityAssessment.com Microsoft Security Assessment Tool— Official MSAT site. Free download!

News results for A security test for networks - View today's top stories
Security tips from the experts - Malaysia Star - Feb 28, 2006

Firewall Test, Port Scan and Internet Security made easy - Spy ...
Firewall test and port scan made easy * © Audit My PC .com, All rights reserved.
Network Security - Access Code For Tuesday, February 28, 2006 is jfToeVjtcc ...
www.auditmypc.com/ - 32k - Cached - Similar pages

Web Security and Penetration Testing
This Web Security test takes less than 60 seconds. ... Network Security - Access
Code For Tuesday, February 28, 2006 is kfUpfWkudc. ...
www.auditmypc.com/freescan/prefcan.asp - 32k - Cached - Similar pages

Security Scan - Sygate Online Services (sos)
The accuracy of the SOS test depends on correctly retrieving your computer's IP
address. ... This is not an attack on your computer or network. ...
scan.sygatetech.com/ - 17k - Cached - Similar pages

- Gibson Research Corporation Home Page - -
ShieldsUP! 41675921 system tests. The Internet's quickest, most popular, reliable
and trusted, free Internet security checkup and information service. ...
grc.com/default.htm - 39k - Cached - Similar pages

Nmap - Free Security Scanner For Network Exploration & Security ...
Nmap Free Security Scanner For Network Exploration & Hacking. ... New (test/beta)
versions of Nmap are sometimes released here prior to general availability ...
www.insecure.org/nmap/ - Similar pages

Top 75 Network Security Tools
Review of top 75 network security tools (commercial and free/open source ...
DSniff: A suite of powerful network auditing and penetration-testing tools ...
www.insecure.org/tools.html - Similar pages

Audited by Netcraft
Even if you already care strongly about security, and diligently test the security
of your network, sites and applications from both inside and outside your ...
audited.netcraft.com/audited - 9k - Cached - Similar pages

Stealth And Security Tests For Concerned Internet Users
Online Security Tests For Concerned Internet Users ... The Media Access Control (MAC)
address above comes from your network card or dialup adapter. ...
stealthtests.lockdowncorp.com/ - 51k - Cached - Similar pages

Email Anti Virus and Security Testing Zone
Test the security of your email system! Is your email system secure against ...
Read why you need multiple virus engines to maximize network protection. ...
www.gfi.com/emailsecuritytest/ - 27k - Cached - Similar pages

SecuritySpace
Researchers use fingerprints to secure networks ... New Vulnerability Tests.
Gentoo Security Advisory GLSA 200602-05 (kdegraphics, kpdf) (Gentoo Local ...
www.securityspace.com/ - 41k - Cached - Similar pages

 

[mudderfacar]

What network are you on, and what University are you at?

If you're connected through JANET, will this sort of thing work?

Im at the University of Abertay Dundee, not far away from yourself .
The network im using is a standalone network in a room that needs to go through a firewall etc. to get to JANET so if something were to happen then it would be simple enough to disconnect from the rest of the uni network so that we dont disturb anyone else.

 

[mudderfacar]

bump. Anyone got any new ideas?

 

[uid=[0]]

May just be me, however it sounds to me like he is indirectly asking how to break into a secured network. 1. "standalone network" 2. "into other network" 3."go through firewall" 4."how?" uhh, that would be my guess, because anyone who should be in a network.. would be allowed in. not trying to get in. but thats just my opinion.

 

[UK31337]

May just be me, however it sounds to me like he is indirectly asking how to break into a secured network. 1. "standalone network" 2. "into other network" 3."go through firewall" 4."how?" uhh, that would be my guess, because anyone who should be in a network.. would be allowed in. not trying to get in. but thats just my opinion.

This guy is doing a Senior Honours Computer Science project... you cannot comprehend the amount of work involved.

 

[root]

For those of you who don't know.

snort is an intrusion detection piece of software, it simply sits on a network monitoring packets.
the intrusion detection capabilities of snort are quite passive, and it's not (normally) possible for someone to detect that you are running snort.

However, when you come to test snort, chances are you'll be testing the intrusion detection capabilities, and you'll be running a piece of software such as NMAP.

snort will pick this up, however, you'll probably find that whatever uni you are attending will also pick this up, so you should probably seek advice from your uni's computing services as to whether running a port scanner or attempting a simlated intrusion on their network is allowed, or whether it will get you kicked.

alternativly, you could just set up another small private (detched0 network, what you do on your own network is your own business).

 

[DJ-CHRIS1]

Would you usually have the computer with snort picking up all packets on the network than?

Because a single computer on a large network picking up EVERY single packet is guartneed to cause slowdowns.

 

[root]

It depends how you look at the network and the technology used in a network.
a regular hub is a piece of dumb equipment, it recieves a packets and then spits it out of all ports, sending all packets to all ports on the hub, only the computer that actuall wants the packet picks it up.
other computers ignore it.
(this is good when you are sending out broadcast packets or DHCP requests since the DHCP server usually isn't know, so a general request is made to all machines.

however, it does mean that when you send information you are actually sending it to all machines.

if you run a program like snort or ethereal then you just listen to the network and don't generate any extra traffic.

you'll fine that on a switched network, in passive modes, you'll only see traffic eitheron the hub that you are on, (but not other hubs that maybe conected to a switch that you are also on), or just your own traffic if you are directly in a switch or router.