[Full-Disclosure] [RE: Test scripts for NIDS]

indianz_at_indianz.ch
Date: 09/03/04

  • Next message: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Empirical data surrounding guards and firewalls."
    To: full-disclosure@lists.netsys.com
    Date: Fri, 3 Sep 2004 08:16:09 +0200 (CEST)
    
    

    For to test with stick and snot you just throw alerts at the IDS, after
    that, you should check the logs of the IDS to see what has been recorded
    and what
    dropped.
    You also can throw (with stick and snot) and try to exploit the IDS from
    another machine in the same time.

    Have also a look at
    http://packetstormsecurity.nl/distributed/stick.htm

    Stick Download:
    http://www.eurocompton.net/stick/projects8.html

    Snot Download:
    http://www.stolenshoes.net/sniph/index.html

    IDSwakeup Download:
    http://www.hsc.fr/ressources/outils/idswakeup/index.html.en

    GreetZ from IndianZ

    mailto:indianz@indianz.ch
    http://www.indianz.ch

    > I've gotten alot of suggestions to test the
    > signatures, i've got some to test the load but they
    > were $$$, anything out there for free ?
    >
    > With a software and not an appliance how does one test
    > the load to know when the IDS can no longer verify
    > packets and they are being dropped ? Is this included
    > in the software ?
    >
    > Thanks again everyone :)
    >
    >
    >> > -----Original Message-----
    >> > From: Bénoni MARTIN
    >> [mailto:Benoni.MARTIN@libertis.ga]
    >> > Sent: August 31, 2004 09:05
    >> > To: John Madden; pen-test@securityfocus.com
    >> > Subject: RE: Test scripts for NIDS
    >> >
    >> <SNIP>
    >> >
    >> > I know there is a tool that generates Snort's
    >> alerts, but I
    >> > just cannot remeber it's name :(
    >> >
    >> The tool you're talking about is called "SNOT". You
    >> can find it
    >> here: http://www.stolenshoes.net/sniph/index.html
    >>
    >> From the file 'snot-0.92a-README.txt' post at that
    >> URL:
    >>
    >> "Snot is an arbitrary packet generator, that uses
    >> snort rules
    >> files as its source of packet information. It
    >> attempts at all
    >> times to randomise information that is not contained
    >> in the
    >> rule, to hamper the generation of 'snot detection'
    >> snort rules.
    >>
    >> It can be used as an IDS evasion tool, by using
    >> specific decoy
    >> hosts, or just something to keep your friendly IDS
    >> monitoring
    >> staff busy.
    >>
    >> It has been tested to run on *BSD, Linux, Win2k,
    >> NT4.0 and Win98."
    >>
    >> I hope this helps,
    >> Alex%

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: gadgeteer_at_elegantinnovations.org: "[Full-Disclosure] Re: Empirical data surrounding guards and firewalls."

    Relevant Pages

    • Re: Snot/state [WAS: Re: Signature and Traffic generation]
      ... While programs like Stick and Snot don't do a very good job of maintaining ... it might be necessary to get a bit more creative, but (at least in the IDS ... Interestingly, some alarms will be sensitive to this type of attack, while ...
      (Focus-IDS)
    • Snot/state [WAS: Re: Signature and Traffic generation]
      ... > same bogus alerts. ... If the IDS fails to properly categorize most ... ...or that you haven't turned on the state engine. ... and you're on your way to solving the snot problem. ...
      (Focus-IDS)
    • Re: Snot/state [WAS: Re: Signature and Traffic generation]
      ... if Snot were more robust and did more than just spew the ... > Snort rules file across the wire, almost every IDS would fall victim to ... regarding this topic I'm currently implementing and IDS testing option in ... stateful inspection IDS and some evasion techniques. ...
      (Focus-IDS)
    • Re: Target based IDS review and discussion in Information Security
      ... This all began in 2000 when Marty lead the IDS development effort at ... > describes alerts as they pop out of IDS consoles. ... > Roesch names two other components as integral to target based NIDS: ... > an attack on a system that cannot succeed should be demoted. ...
      (Focus-IDS)
    • Re: which attacks will generate false positive or false negative?
      ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
      (Focus-IDS)