The easiest way to ensure Snort is actually seeing any traffic is to create a simple rule and see if Snort generates an alert. If you wish to run a tool like IDSWakeup, it will indeed generate some alerts. A simple Nmap scan will most likely generate some alerts as well. Setting up a target system and running an actual malicious attack, such as exploitation via Metasploit, is a means to test Snort via server-side attack. More elaborate client-side attacks can also be devised to test Snort's ability to detect that attack pattern.
 |
| About the author |
| Richard Bejtlich is director of incident response at General Electric Company in Manassas, Va. and blogs at Bejtlich.net and TaoSecurity.com. Listen to the rest of Richard's answers on Snort by downloading our Snort podcast. |
|
|
|
|
The bottom line is to figure out the goal of your Snort test, and then devise the simplest way to accomplish that goal. It's always best to begin by running Snort with a very basic rule. If you can't get Snort to fire on the most basic activity, then a serious problem exists.
I recommend reading my article "How to test Snort" for more details.
Return to the Snort FAQ guide and read the rest of Richard's expert responses.
