IDS tests in the OSSTMM 2.0From: pete (firstname.lastname@example.org)
- Previous message: Patrick Mueller: "RE: Use of Taps for IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "pete" <email@example.com> To: "IDS focus list" <firstname.lastname@example.org> Date: Fri, 1 Mar 2002 11:41:10 +0100
I just wanted to point out that the new OSSTMM (2.0) has been released. You can check it out and maybe join the project to define sec testing methods at www.osstmm.org/download.htm. Here is a copy of the IDS testing methodology in it. If anyone cares to comment....
Intrusion Detection System Testingtools
RAVs: 25 days at 2.3%
This test is focused on the performance and sensitivity of an IDS. Much of this testing cannot be properly achieved without access to the IDS logs. Some of these tests are also subject to attacker bandwidth, hop distance, and latency that will affect the outcome of these tests.
Reviewing the server logs is needed to verify the tests performed on the Internet presence especially in cases where results of the tests are not immediately visible to the tester. Many unknowns are left to the analyst who has not reviewed the logs and alerts.
.Type of IDS
.Note of IDS performance under heavy load
.Type of packets dropped or not scanned by the IDS
.Type of protocols dropped or not scanned by the IDS
.Note of reaction time and type of the IDS
.Note of IDS sensitivity
.Rule map of IDS
.List of IDS false positives
.List of IDS missed alarms
.List of unmonitored paths into the network
Tasks to perform for a thorough IDS Test:
IDS and features identification
· Verify the IDS type with information collected from intelligence gathering.
· Determine its sphere of protection or influence.
· Test the IDS for alarm states.
· Test the signature sensitivity settings over 1 minute, 5 minutes, 60 minutes, and 24 hours.
Testing IDS configuration
· Test the IDS for configured reactions to multiple, varied attacks (flood and swarm).
· Test the IDS for configured reactions to obfuscated URLs and obfuscated exploit payloads.
· Test the IDS for configured reactions to speed adjustments in packet sending.
· Test the IDS for configured reactions to random speed adjustments during an attack.
· Test the IDS for configured reactions to random protocol adjustments during an attack.
· Test the IDS for configured reactions to random source adjustments during an attack.
· Test the IDS for configured reactions to source port adjustments.
· Test the IDS for the ability to handle fragmented packets.
· Test the IDS for the ability to handle specific system method attacks.
· Test the effect and reactions of the IDS against a single IP address versus various addresses.
Reviewing IDS logs and alerts
· Match IDS alerts to vulnerability scans.
· Match IDS alerts to password cracking.
· Match IDS alerts to trusted system tests.