RE: Evaluation for IDS

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 09/28/01

Previous message: bhooper3@csc.com: "Re: The old question..."
Maybe in reply to: hu jinhua: "Evaluation for IDS"
Next in thread: jfontelera@SOLANOCOUNTY.COM: "RE: Evaluation for IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-ID: <B6E52B5EDFAFD411BA42009027AE9D580FB84C8A@FMSMSX39>
From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'Kurt Seifried'" <bugtraq@seifried.org>, hu jinhua <hujh@neusoft.com>, focus-ids@securityfocus.com
Subject: RE: Evaluation for IDS
Date: Fri, 28 Sep 2001 10:17:39 -0700

The tcpdump files that shmoo has from the DefCon CTF networks
offer a whole bunch of nasty traffic that you can use with
tcpreplay to test products.

Toby

All opinions are my own and in no way reflect the views of my employer

-----Original Message-----
From: Kurt Seifried [mailto:bugtraq@seifried.org]
Sent: Friday, September 28, 2001 4:41 AM
To: hu jinhua; focus-ids@securityfocus.com
Subject: Re: Evaluation for IDS

One simple way would be to shove a lot of traffic through and then launch
attacks (get code from packetstorm or similar). You know what you are
sending, and by checking the reports can easily figure out what % of attacks
are detected, also how good the info is (i.e.: attack foo detected" verses
"attack foo detected, go find all your win2k servers and make sure patch
#xxx is applied"). Plus there are things like Dug Song's frag router and
other tools you can use to make the IDS's life more realistic (you better
believe attackers use this stuff).

Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/

----- Original Message -----
From: "hu jinhua" <hujh@neusoft.com>
To: <focus-ids@securityfocus.com>
Sent: Friday, September 28, 2001 12:00 AM
Subject: Evaluation for IDS

> I need help about testing methodology for IDS, or
> criteria about evaluating IDS. who can tell me about
> this.
> Someone who have knowledge about this please
> mail me. My E-mail address is hujh@neusoft.com.
> Thanks very much!
>

Previous message: bhooper3@csc.com: "Re: The old question..."
Maybe in reply to: hu jinhua: "Evaluation for IDS"
Next in thread: jfontelera@SOLANOCOUNTY.COM: "RE: Evaluation for IDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: newbie quetsions
... >whether an IDS can take the load of millions of packets at once. ... Evaluation of IPS products raises a great challenge for the evaluator. ...
(Focus-IDS)
Re: Evaluation for IDS
... Subject: Evaluation for IDS ... Generally you can refer to Commom Criteria project, ... > I need help about testing methodology for IDS, ...
(Focus-IDS)
RE: Bake off
... I also work for a Vendor, ... announced our IDS product, called IDP. ... your evaluation as it contains a lot of new advancements in IDS ...
(Focus-IDS)
Re: Evaluation for IDS
... Subject: Evaluation for IDS ... attacks (get code from packetstorm or similar). ...
(Focus-IDS)
oracle 9: collections syntax in proc?
... i have a proc that takes in a bunch of normal strings & numbers ... etc -- a variable-length list of IDs. ...
(comp.databases.oracle.server)