How to test Snort LAN protection
-
I've had Snort running for several months, with many rules enabled. Some would say too many. I don't get many, if any alerts. I get some, but they seem to be false alarms. I can usually connect them to some activity I did, making them false alerts. I'm mostly assuming it's doing its job, but how can I be sure? Is there some test I can run? Like "Shields Up" for firewall protection? (I have a feeling this question was asked many times in the past but I wasn't sure the best way to search for it) Thanks in advance for any tips.
-
If you can swing the physical connections, you could put something like a Kali Linux virtual machine on a laptop and put it on the outside of your WAN and then throw exploits at your firewall from the Kali machine.
To answer your direct question, I'm not aware of any online sites that are designed for purposefully testing an IDS other than simple port scanners (like the Steve Gibson "Shields Up" site).
But remember, you don't actually want your IDS/IPS generating a ton of alerts when it is well-tuned for your environment. It should only alert or block on real threats. You will occasionally get a false positive, but it sounds like from your description that your setup is working fine. I get very few "real" alerts on my system. The last one I had on my LAN was back on December 26, 2018 and it was from an Ubuntu virtual machine I use whenever I have a need to browse potentially malicious sites. Snort blocked the attempt from the malicious host.
-
@bmeeks said in How to test Snort LAN protection:
l connections, you could put something like a Kali Linux virtual machine on a laptop and put it on the outsi
Thanks for the advice. I do have redundant WANs (AT&T Fiber and Spectrum Cable), so I should be able to rigger something together. Can you give me some more detail (i.e. links) on what you'd set up with a Kali Linux VM? I've never heard of it but I learn quick.
Don't put too much effort into it. I agree with you. By all accounts, Snort is working as it should. With the occasional false alert, I know it's active. (I always wonder if they are truly false alerts. I usually just clear them, rather than disable at first, just to be sure) Most alerts I get is when I add another category as I'm always expanding.. (I have the memory for it) Anyway, I think it's working fine and likely any effort I put into this would be better spent in other areas... kinda like you inferred.
It would be nice though, if someone created a test, like 'Shields Up'. I would even pay a small fee. I think someone could make some coin if they had the knowledge and time on their hands.
Anyway, thanks.
-
Kali Linux is a specialized virtual machine image that comes pre-loaded with a ton of exploits and scanners. You can find all you need to know about installing and using it in various tutorials available with a Google search. You will need a host environment such as VMware or Microsoft Hyper-V to install the VM on .
It is used as a tool in a number of cyber security training courses for pen testers. If you are running Snort on the LAN, and if you have an unused interface on your firewall; you could spin up that interface, put an IP network on it different from that of your LAN and then connect the Kali machine to that interface and test from there. No need to disconnect the WAN side.
-
Perfect. That's what I needed to know. Now I have a new project to work on. Thanks!
I'm already running my pfSense firewalls on HyperV. I don't have any unused physical ports, unless I un-team some. However, I'm sure I could simply add another internal network to my pfSense VM and connect the Kali Linux VM that way. I'll figure out something. Again, thanks.
