Testing Rules

Problem

I have new rules and ideas for rules I want to test without causing problems for the production deployment. How can I use Snort to test itself?

Solution

There are actually a couple of answers to this question.

snort -c /path/to/my/snort.conf -i Sniff_interface -l /log/snort/path -T

Discussion

For a full discussion of how to set up a testing infrastructure for Snort, check out the chapter on keeping Snort up to date in the Snort 2.1 book (Syngress). Solutions for a testing infrastructure for large and small organizations will differ with size, cost, and necessity.

See Also

Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.

Open Source Testing Methodology (http://www.osstmm.org/)

Optimizing Rules

Категории