Re: Firewall Tester 0.6

From: Andrea Barisani (lcars@infis.univ.trieste.it)
Date: 04/11/02

• Previous message: Steve: "RE: Firewall Tester 0.6"
• In reply to: Steve: "RE: Firewall Tester 0.6"
• Next in thread: Marcus J. Ranum: "RE: Firewall Tester 0.6"
• Next in thread: Brian: "Re: Firewall Tester 0.6"
• Next in thread: Greg Shipley: "Re: Firewall Tester 0.6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 11 Apr 2002 09:56:44 +0200
From: Andrea Barisani <lcars@infis.univ.trieste.it>
To: Steve <steve@securesolutions.org>

On Wed, Apr 10, 2002 at 11:10:25PM -0600, Steve wrote:
> I agree with Greg on this point. In theory, if you replay 100 signature
> files the IDS should detect 100/100 of the "attacks". If you actually
> do the attacks themselves you are performing a true test.
>

You are right, it 'should' :-), this tool is made for testing the 100/100
correlation wich depends on many factor (IDS placement, stateful inspection
engine, sniffing method, configuration and tresholds) and its not always true,
and NOT IDS efficiency on real attacks.

That's obvious since usually a series of alerts is a sign of an attack and
not a single unrelated event.

In fact we are testing the IDS engine not the person that's reviewing the
alerts nor the rules.

Maybe I should put a disclaimer if you think this point isn't enough clear ;)

Bye

------------------------------------------------------------
INFIS Network Administrator & Security Officer .*.
Department of Physics - University of Trieste /V\
lcars@infis.univ.trieste.it - PGP Key 0x8E21FE82 (/ \)
---------------------------------------------------- ( )
"How would you know I'm mad?" said Alice. ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

---

• Previous message: Steve: "RE: Firewall Tester 0.6"
• In reply to: Steve: "RE: Firewall Tester 0.6"
• Next in thread: Marcus J. Ranum: "RE: Firewall Tester 0.6"
• Next in thread: Brian: "Re: Firewall Tester 0.6"
• Next in thread: Greg Shipley: "Re: Firewall Tester 0.6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: IDS event filtering ... I think there are a few ways to filter; ... at in over a year so not sure if any backend IDS correlation. ... Deprioritize alerts on ... > Find out quickly and easily by testing it with real-world attacks ... (Focus-IDS) RE: Need help to choose a security policy ... I'm suggesting to log only the attacks who ... you should never configure an IDS to log all possible attacks ... you might want to disable port scan alerts on ... your corporate web server start ftp connections to workstations in your ... (Focus-IDS) RE: Intrusion Prevention ... Coverage what can it detect; this covers basic attacks, ... IDS purchase. ... While doing these implementations and while working in an IDS vendor I ... sometimes we're told that we cannot see the testing methodology upfront. ... (Focus-IDS) RE: Changes in IDS Companies? ... This means you need a standard IDS sitting behind it/next to it watching the ... Things like port scans and DoS attacks ... >>> If people are running insecure web servers, ... > Pretty sad state of affairs, when people don't update their patches at ... (Focus-IDS) RE: Best Method(s) for signature verification. ... on this list - and other IDS lists - for the means to test their IDS ... When I say we use IDS Informer for our signature recognition testing, ... should point out that we do NOT use all the default attacks! ... (IIS attacks run against Apache web servers on Unix - "real ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-04