RE: IDS Testing

From: Dragos Ruiu (dr@kyx.net)
Date: 10/26/01 

From: Dragos Ruiu <dr@kyx.net>
To: "Estis, Kevin A." <KEVIN.A.ESTIS@saic.com>, 'Mike Barrimore' <mikeybarrimore@hotmail.com>, focus-ids@securityfocus.com
Subject: RE: IDS Testing
Date: Fri, 26 Oct 2001 12:40:35 -0700
Message-Id: <0110261247360H.00625@smp.kyx.net>

Mr. Bailey and the inimitable, Pokemon-crazed, Cazz (Well, no, he's
not. But if we give him too much praise without _some_ abuse... :) have
given us a wonderful tool for testing ids'es:

In the words of Mitre's Don Bailey:
> I needed an easy-to-control false-positive generator (didn't care too
> much for stick, snot, or IDSWakeup) so Cazz and I wrote one in Perl this
> past Friday. It's called Sneeze, and we like to refer to it as
> "stick-that-doesn't-suck." Future revision 1.1 should support more
> accurate and custom packets, random spoofed source, and quiet / verbose
> mode among other things. For now, it seems to get the job done and is
> fun to play with. Requires Net::RawIP Perl module. Download Sneeze
> today from:
>
> http://snort.sourceforge.net/sneeze-1.0.tar

cheers
--dr

On Fri, 26 Oct 2001, Estis, Kevin A. wrote:
> Other than Nessus, which has already been mentioned, another good tool is
> Shadow Security Scanner. It includes DoS attacks along with the normal http,
> cgi, etc. vulnerability tests and has a easy GUI.
>
> Depending on your exact business situation you may, as Mr. Getchell
> recommended, wish to have a third party perform a vulnerability/penetration
> test on your system. Third party tests are usually seen by management to be
> more objective than internal tests. It also helps you fix things before an
> internal auditor finds them.
>
> Regardless, functional security testing should always be performed at
> regular intervals and any time a major system change occurs. So even if you
> don't need a third party test, *someone* should do it.
>
> Here's one decent link: http://www.insecure.org/tools.html . If you can't
> find Shadow Security Scanner let me know and I'll send it to you.
>
> Regards,
>
> Kevin
>
> PS. I *am* affiliated with a penetration testing firm. =)
>
> -----Original Message-----
> From: Mike Barrimore [mailto:mikeybarrimore@hotmail.com]
> Sent: Thursday, October 25, 2001 4:17 PM
> To: focus-ids@securityfocus.com
> Subject: IDS Testing
>
>
> Hi,
>
> I have been running network ids for a while now and I keep getting asked the
>
> question by my boss, more recently after the 11th Sept, how do you know that
>
> it is working as it should be. Other than downloading all of the attacks and
>
> running them I'm not really sure.
>
> Is there any easy to run apps that anyone can recommend? I just need to
> prove that it is doing what we think it is doing.
>
> Mikey
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp 

-- 
Dragos Ruiu <dr@dursec.com>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net or at http://dursec.com/drkey.asc