RE: host-based ids evaluation

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 08/15/02 

From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'Andrew Plato'" <aplato@anitian.com>, glvalecchi@hotmail.com, focus-ids@securityfocus.com
Date: Wed, 14 Aug 2002 15:25:11 -0700

All opinions are my own and in no way reflect the views of my employer.

I'd recommend against trying to use a vulnerability scanner to try
and test HIDS. A decent HIDS product will not necessarily light up
at a Nessus scan since a successful attack has not completed. You
would have to write custom Nessus scripts if you want it to complete
an attack. HIDS are best tested by performing actual attacks against
the system you have the HIDS on.

Toby

> -----Original Message-----
> From: Andrew Plato [mailto:aplato@anitian.com]
> Sent: Monday, August 12, 2002 5:19 PM
> To: glvalecchi@hotmail.com; focus-ids@securityfocus.com
> Subject: Re: host-based ids evaluation
>
>
> >HI all,
> >I'm an IDS newbie, I've to evaluate some host-based IDS products.
> >I need some advice about how to setup a fisible testbed.
>
> What HIDS are you evaluating...out of curiosity? There are
> not very many out there.
>
> >I would reproduce some attacks from an attacker machine
> towards two victim
> >machines (winnt and solaris) on which I've to install ids sensors:
> >I need some pointers to find some attack/evaluation tools to
> exec towards
> >the victim machine inside my testbed.
>
> As for attack tools, there are so many we could spend all
> day. But a good open-source tool is Nessus. It can run tons
> of scans against a machine and make most IDS's light up like
> a Christmas tree. Another swell tool is Retina from eEye
> Digital. You can download a free-eval copy to bang away at
> your HIDS and watch them go.
>
> These are intended as vulnerability scanners, I should note.
> But any decent IDS should pick up their scans as events.
>
> >I also know something about IDSwakeup/snot/stick tools; but
> AFAIK they're
> >for network ids evaluation.
> >Is there something out there (similar to it) for host-based ids ?
> >it could be very useful to me if you would point me the right way.
>
> All of these tools will work on a HIDS. Just configure their
> scans to be pointed specifically at the system where the HIDS
> is running.
>
> ------------------------------------
> Andrew Plato, CISSP
> President / Principal Consultant
> Anitian Corporation
>
> (503) 644-5656 office
> (503) 201-0821 cell
> http://www.anitian.com
> ------------------------------------
>

Relevant Pages

  • IDS Assessment (was: Intrusion Prevention... probably something else at one point)
    ... scrutiny of all IDS features/technologies. ... Anomaly-type detection engines can ... weaknesses of each detection methodology (which is described in much ... attack d'jour with a cool sounding name and/or press ...
    (Focus-IDS)
  • Re: Target based IDS review and discussion in Information Security
    ... This all began in 2000 when Marty lead the IDS development effort at ... > describes alerts as they pop out of IDS consoles. ... > Roesch names two other components as integral to target based NIDS: ... > an attack on a system that cannot succeed should be demoted. ...
    (Focus-IDS)
  • RE: IDS Informer
    ... Subject: IDS Informer ... The main difference with IDS Informer and other testing tools (such ... While the attack is happening we have a network ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)
  • RE: IDS Informer
    ... quickly answer you question we can target any ip address. ... on the same segment as the IDS without harming that machine. ... I was looking at the IDS Informer and noticed ... While the attack is happening we have a network ...
    (Focus-IDS)