Re: [Snort-sigs] Strange question

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Wed Apr 23 2003 - 13:41:52 EDT

Erm, why do you want viruses to test a firewall? Viruses aren't even relevant to a firewall anyway.. they infect executables, firewalls block network attacks. Perhaps you meant worms?

In general using self-replicating code (ie: worms or viruses) as a "test" is an extremely reckless and dangerous thing to do.. It's a lot like pouring a can of gas on the floor and lighting it to see if the fire-sprinkler system works. Even if the floor is concrete, there's still much safer tests out there.

Might I suggest looking at nessus scanner or something of the like instead? There are lots of tools out there that use the same attacks as network worms (which I assume is what you really want) and only manually so they won't spread out of control if you accidentally mis-step.

Certainly in your case, it sounds like you're not quite up to the task of testing with self-replicating code. It's VERY easy to screw up. When professionals (ie: antivirus writers) that do test with live code run their tests, they use a separate quarantined network that isn't connected to any part of the internet in any way. They do it because even a trained professional that handles worms every day can make a mistake and the risks of infecting other networks is high.

At 09:01 AM 4/23/2003 -0700, Bryan Irvine wrote:
>I'd like to test out the snort rules I have in place, and download some

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Wed Apr 23 14:16:54 2003