Hi, On Tue, Feb 28, 2006 at 01:37:49PM -0500, Richard Bejtlich wrote: > On 2/27/06, Byron Sonne <[EMAIL PROTECTED]> wrote: > > The tools that come to mind for me are 'stick' and 'snot': > > http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0096.html > > > > Hello, > > Stick, Snot, and all other stateless tools are a waste of time, and > have been since mid-2001.
why? 1. You can still test if stream4 (established) TCP works. 2. You can disable stream4 and see how snort behaves on a high alert rate. The subject was testing snort. This way you can not test stream4 but what about output plugins? FPG was build especially on this focus. How will you know if your output plugin does work with a high alert rate if you do not test it? 3. What is with UDP, ICMP or IP? Attacks on these fields are still possible without an "established" state (whatever this might be with these protocols). So I won't say these toolls are a waste of time, it depends highly on what you like to test. Best regards Dirk Geschke ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
