What is the easiest way to test Snort IDS after installing? Would using and writing a rule that captures all of the traffic work?
alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )
That is, using its own rules.
One way that I know of for testing Snort is by using some programs such as Nmap, Metasploit, and something else, but how can it be done?
There are two subtly different things you might want to test.
To test case 1, you make a rule that's easy to fire, like your example, and fire it. To test case 2, you have to attempt an intrusion of type X and confirm that it is detected.
You seem to be wanting to test case 1 (that the install has been done correctly) using the method in case 2, but you don't need to. Using a "fake" rule is a perfectly valid test that Snort is working in the first sense. And it's easier. Easy tests are good. You don't want to faff around with Metasploit when you're just checking that the alert emails go to the right person. Especially if you're not skilled in running intrusions - what if you do the intrusion wrong, and get a false test result? What if the intrusion attempt crashes the target (which is very likely on many types of intrusion.)
You really only need to test case 2, that a specific rule works against a real intrusion attempt, if you don't trust your rule set (in which case - why are you using it?) or if you're developing new rules.
It also might be worth taking a look at IDSWakeUp [Apr 2019: link is dead].
IDSwakeup is a collection of tools that allows to test network intrusion detection systems.
The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives.
Like nidsbench, IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is still a black art at best.
To test that your default rules are working, assuming you've pulled them down with pulledpork, oinkmaster or something-else, you can simply browse to http://testmyids.com/ from a client whose traffic will be seen by the IDS, through your IDS device being inline or as a port span.
The http response contains the following text:
uid=0(root) gid=0(root) groups=0(root)
which will match one of the default snort rules that looks for "content" containing root. This is an old rule to check for successful privilege escalation when an attacker runs the id or whoami type commands to check that he/she has root access.
Here's an (old) blog also discussing how to test snort: How do I know if my Snort implementation is working?.
I know this is old but I will throw this out there anyhow...
Check out snort -T
This switch is designed for exactly the question that was asked. It's built-in, you don't need to monkey with rules, you don't need to send malicious traffic (even though it's "controlled"), you don't need to send any traffic. Will even tell you where your problems are.
As of 2019 the most robust Suricata/Snort test I found is:
dig a 3wzn5p2yiumh7akj.onion
Which triggers the following rule from emerging-trojan.rules:
alert dns $HOME_NET any -> any any (msg:"ET TROJAN Cryptowall .onion Proxy Domain";
dns_query; content:"3wzn5p2yiumh7akj"; depth:16; nocase;
reference:url,www.bleepingcomputer.com/news/security/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names;
classtype:trojan-activity; sid:2022048; rev:2; metadata:created_at 2015_11_09,
updated_at 2015_11_09;)
Background: the signatures mentioned above are out of date and most of them do not contain proper flow specification which will make Snort or Suricata blind to them. Also to reach testmyids.com you need a working proxy and this adds to the complexity. The .onion DNS resolution alert however does not require a working Internet connection as it is triggered by a mere attempt to resolve the name by the client.
