2

I am using the pulledpork to get my rules daily. I want to be able to test these rules and make sure everything is working. Is there anything out there that is up to date and working? I know rules2alert is there but it is vastly unfinished and hasn't been touched in a while. When I run it on my pulledpork rules I get many errors.

dez
  • 56
  • 1
  • 6
  • Do you have some specific rules in mind you want to check? (i.e. specific signatures) Or you want to check the coverage of the ruleset? – Eriks Dobelis Jul 20 '15 at 19:22
  • @EriksDobelis well i'd prefer to test the level 1 priority alerts. But the idea would be to be able to test all rules. – dez Jul 21 '15 at 12:57
  • rules2alert seems to be the closest response. I am not aware of anything better suited. You just need to fix the bugs :) – Eriks Dobelis Jul 21 '15 at 13:01
  • @EriksDobelis I am trying. I also have no background with scapy or packet manipulation, so it's going quite slow. ~_~ – dez Jul 21 '15 at 13:06
  • If you use python3 version and have some particular issue, feel free to post it to http://github.com/phaethon/scapy – Eriks Dobelis Jul 21 '15 at 13:08

1 Answers1

0

It would be interesting to attempt to use a script with Scapy to automatically generate traffic that will trip rules. However, there exists a service with which you can generate a number of IDS alerts using just a command line tools such as wget and curl or your browser - testmyids.com (blog post).

Just run wget testmyids.com to trip the "GPL ATTACK_RESPONSE id check returned root" signature. This is the most basic check. Website contains details about more complex checks for file-format or executables detailed in the link.

RyPeck
  • 7,830
  • 3
  • 38
  • 58