Re: IDS Project
From: Gianpiero Porchia (gianpiero.porchia@atsweb.it)Date: 06/21/02
- Previous message: Robert Graham: "Re: Value of "richer" signatures?"
- In reply to: Azad Mahmoud: "IDS Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Gianpiero Porchia <gianpiero.porchia@atsweb.it> To: IDS Focus <focus-ids@securityfocus.com> Date: 21 Jun 2002 12:27:26 +0200
Hi,
I'm doing the some test on the NFR and on the SNORT systems.
I've focused the test on performance evaluation of this systems:
1) I've installed the IDS on the some hardware
2) I've selected a set of exploit to send against target systems (I'm
using only a win2k box and a Linux box) with this services
w2kn
----
IIS Server
FTP Server
SMTP Server
NNTP Server
Linux
------
Apache Server (with php extension)
Sendmail server
POP3 server
wuFTP server
finger server
telnet server
ident
rpc
I've choosed old version of this services, so I can test easily
the exploits.
2) When I'm sending an exploit I wondering if this exploit can raise an
alert, and what kind of alert. So when I've sent the attack I can see if
the IDS have raised (or not) the correct type of alert.
3) I'm using snort, in NNIDS configuration, for logging the traffic that
reach each Server, so I can know if the exploit has really hit the
target.
4) Now, I'm repeating the some test, using a Network Traffic Generator
(SMARTBIT, Chariot, httpperf, etc.), so I can stress the IDS. With this
test I can find the blinding point of the system.
5) When I've reached the blinding point (example 1% of attack lost), I'm
repeating the test 10-15 times, so I can know which attack are detected
in every test,ie I'm searching for a redundancy in the detecting system
of the IDS (ie the capability to detect attacks with packet losing).
6) Now I'm repeating test 4, using heavily fragmented traffic, unordered
TCP segments etc. (ie using fragroute). With this test I want to test if
is possible to overload the system
7) I choose a kind of attack, and use every evasion technique described
by Ptacek and Newsham
(http://www.robertgraham.com/mirror/Ptacek-Newsham-Evasion-98.html),
obfuscation and Mutating Shellcode, for evasion testing
8) Putting togheter 4 and 7
On Thu, 2002-06-20 at 15:06, Azad Mahmoud wrote:
> Hi,
>
> I am doing a final project as part of my MSc degree. I am intending to
> evaluate three IDS systems (ISS, Snort, and NFR).
>
> I have some simple experience with snort, but never used ISS or NFR
> although I have the downloads for them. I think I can manage to deploy
> them with the help of available documentations
>
> Questions are:
>
> - Am I making a good selection for products? Bearing in
> mind that I might not be able to get evaluation version of something
> like Dragon.
> - What are the criteria and/or considerations that I have
> to build my conclusions or results on?
> - Any guidance or suggestions?
>
> If there is some one out there who did a similar project, I would be
> most grateful if I can review his papers or at least give me an idea
> about the steps he/she took.
>
> Your help will be very much appreciated.
>
>
> Azad
>
>
>
> *****************************************************************************
> Disclaimer: This e-mail and any attachments are confidential.
>
> It may contain privileged information and is intended for the named
> addressee(s) only. It must not be distributed without Dionach Ltd consent.
> If you are not the intended recipient, please notify the sender immediately
> and destroy this e-mail.
>
> Any unauthorised copying, disclosure or distribution of the material
> in this e-mail is strictly forbidden. Unless expressly stated, opinions
> in this e-mail are those of the individual sender, and not of Dionach Ltd.
> *****************************************************************************
>
> ______________________________________________________________________
> This message has been checked by Dionach for all known viruses using
> MessageLabs Virus Scanning Service. For further information visit
> http://www.dionach.com
-- Gianpiero PorchiaATS - Advanced Telecom Systems Designing, Testing, Managing Network Quality
Via Salgari, 17 - 41100 Modena - ITALY Tel +39 059 821332 Fax +39 059 821492 E-mail: gianpiero.porchia@atsweb.it Web site: http://www.atsweb.it
- Previous message: Robert Graham: "Re: Value of "richer" signatures?"
- In reply to: Azad Mahmoud: "IDS Project"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
