Testing Snort IDS installation
There are two subtly different things you might want to test.
- Is Snort working in the sense that it's running, able to sniff trafic, testing it against the rules, and alerting you when one is triggered?
- Is Snort working in the sense that it's current rule set detects a specific intrusion of type X?
To test case 1, you make a rule that's easy to fire, like your example, and fire it. To test case 2, you have to attempt an intrusion of type X and confirm that it is detected.
You seem to be wanting to test case 1 (that the install has been done correctly) using the method in case 2, but you don't need to. Using a "fake" rule is a perfectly valid test that Snort is working in the first sense. And it's easier. Easy tests are good. You don't want to faff around with Metasploit when you're just checking that the alert emails go to the right person. Especially if you're not skilled in running intrusions - what if you do the intrusion wrong, and get a false test result? What if the intrusion attempt crashes the target (which is very likely on many types of intrusion.)
You really only need to test case 2, that a specific rule works against a real intrusion attempt, if you don't trust your rule set (in which case - why are you using it?) or if you're developing new rules.
It also might be worth taking a look at IDSWakeUp [Apr 2019: link is dead].
IDSwakeup is a collection of tools that allows to test network intrusion detection systems.
The main goal of IDSwakeup is to generate false attack that mimic well known ones, in order to see if NIDS detects them and generates false positives.
Like nidsbench, IDSwakeup is being published in the hopes that a more precise testing methodology might be applied to network intrusion detection, which is still a black art at best.
To test that your default rules are working, assuming you've pulled them down with pulledpork, oinkmaster or something-else, you can simply browse to http://testmyids.com/ from a client whose traffic will be seen by the IDS, through your IDS device being inline or as a port span.
The http response contains the following text:
uid=0(root) gid=0(root) groups=0(root)
which will match one of the default snort rules that looks for "content" containing root. This is an old rule to check for successful privilege escalation when an attacker runs the id
or whoami
type commands to check that he/she has root access.
Here's an (old) blog also discussing how to test snort: How do I know if my Snort implementation is working?.