I am evaluating Astaro product and am a newbie. I was wondering if there is a way to test IPS by triggering a Snort rule. Any tools? If so would I see any thing in the log?
IPS applies only to traffic allowed to enter/pass Astaro. I bet you could put in a rule Any -> Any -> Any and see some activity in the Live Log. In addition to the snort capability, that section of Astaro also includes tools that help prevent DoS Flooding and portscanning.
There's not much reason to spend time testing those capabilities, as they are are well-known and function effectively. If you're comparing against another IPS, you'll just find rules that are enabled on one, but not on the other. Every site will have unique situations that require adjustment of the default.
if you don't want to install a scanner and you do have a server you want to test (that is what I did) you can use netcat and telnet! Using netcat to initiate a listening port on a remote host, say port 80. You can then telnet to the listener and feed it raw HTTP protocol. For example,once connected feed it:
GET /etc/passwd HTTP/1.1
Press enter instead of typing , but this will simulate a browser requestion the /etc/passwd file on a webserver. This should fire the /etc/passwd signature, confirming the sensor is operating correctly.
You can turn the rule (any ->any- >any ) on as bob suggested and possible enable all relevant IPS rules and you will see logs [:)]
Also a far more easier way to test visit www.testmyids.com and check the logs on your IPS. you should see the following:
2012:02:08-20:47:14 **** snort[1374]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="ATTACK-RESPONSES id check returned root" group="500" srcip="217.160.51.31" dstip="****** " proto="6" srcport="80" dstport="52341" sid="498" class="Potentially Bad Traffic" priority="2" generator="1" msgid="0"
