Re: host-based ids evaluation

From: raffael.marty@ch.pwcglobal.com
Date: 08/15/02 

To: "toby.kohlenberg@intel.com; focus-ids@securityfocus.com" <focus-ids@securityfocus.com>
From: raffael.marty@ch.pwcglobal.com
Date: Thu, 15 Aug 2002 09:21:50 +0200

> I'd recommend against trying to use a vulnerability scanner to try
> and test HIDS. A decent HIDS product will not necessarily light up
> at a Nessus scan since a successful attack has not completed. You
> would have to write custom Nessus scripts if you want it to complete
> an attack. HIDS are best tested by performing actual attacks against
> the system you have the HIDS on.

I agree to some extent. But let me add the following:

1. If you customize the Nessus Scripts a bit (I wrote UNIX-Scripts which
are doing that automatically), you can issue attacks that the IDS should
trigger on.
2. Make sure you absolutely understand what the Scanner is doing. Nessus is
of great help, as you get the attack-scripts with it. Look at them and see
what they do. As soon as you can make sure that the attack is going over
the network, the IDS should alert.
3. The problem of running "real" attacks is to have a good repository of
them. I didn't have one for my work and was left with Nessus, which turned
out to be quite helpful. (Do you have a collection of attacks that you
would share?)

In my Thesis (raffy.ch/projects/ids), which addresses IDS testing for the
sake of correlating multiple sensors, I cover some of the problems with
issuing attacks against machines and also how to change the Nessus scripts.

      Raffy

[A paper about the Thesis is on the way, be patient ...] 

--
  Raffael Marty                                      PWC Consulting
  IT Security Consultant        Affolternstrasse 56, CH-8050 Zürich
  raffael.marty@ch.pwcglobal.com                    +41 1 630 35 97
_________________________________________________________________
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.

Relevant Pages

  • RE: host-based ids evaluation
    ... >> and test HIDS. ... HIDS are best tested by performing actual attacks against ... If you customize the Nessus Scripts a bit (I wrote ... > the network, the IDS should alert. ...
    (Focus-IDS)
  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)
  • RE: host-based ids evaluation
    ... If you are looking at a single system then you are a HIDS, ... You can now get into deeper distinctions regarding types of IDS techniques ... but HIDS vs. NIDS is as simple as the focus for the product. ... HIDS can detect local-to-local attacks (or ...
    (Focus-IDS)
  • RE: host-based ids evaluation
    ... As this is a hybrid, it does both HIDS and NIDS ... of attacks are most critical in my environment. ... I've to evaluate some host-based IDS products. ... machines on which I've to install ids sensors: ...
    (Focus-IDS)
  • R: host-based ids evaluation
    ... in industry not exist a clear definition of HIDS. ... its pros and cons against an NIDS. ... watching for remote-to-local attacks. ... HIDS behaviour is named NNIDS. ...
    (Focus-IDS)