Re: IDS Informer

From: Chad Skipper (chad.skipper@blade-software.com)
Date: 10/08/02


Date: 8 Oct 2002 02:38:46 -0000
From: Chad Skipper <chad.skipper@blade-software.com>
To: focus-ids@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <3DA02608.55B011D8@nfr.com>

Dave

I would like to respond in kind to your message concerning IDS Informer. I
am afraid that you have been misled about some of IDS Informer's
capabilities.

>In several cases they failed to actually establish a session before
>launching a stateful attack.>>
 - IDS Informer uses a technique in which we do not establish a session at
all but actually send the captured exploit by injecting the attack traffic
into a live network destined for an endpoint of any kind in a controlled
repeatable manner.

>Tools like these are an okay start, but they'll never truly test your
>IDS the way using the real exploit would, because they're not always
>trustworthy.
 - IDS Informer developers are in the process of capturing traffic of
exploits destined to vulnerable and non-vulnerable systems. This is the
traffic of the real exploit which then can be transmitted over and over
again through IDS Informer.

>If your testing tool ever does not trigger an alarm on
>your IDS, the first thing to do would be to run the real exploit.
 - Since IDS Informer sends the replayed traffic of the actual exploit
against vulnerable and non vulnerable systems and the IDS vendor does not
pick it up then IDS Informer has done one of its many jobs.

>Also, just using a tool like IDS Informer doesn't mean you shouldn't
>still do things such as pipe it through fragroute, or try other evasion
>techniques.
 - With my former employer we actually used IDS Infomer and routed the
traffic through fragrouter... worked like a champ.

>You could either scripteverything, or use a tool like tcpdump and
>tcpreplay to record and replay the attacks onto a static wire later on,
  - This is true for tcpreplay IF your IDS sensor is on the same hub as
your tcpreplay box. Tcpreplay does not replay traffic through a switch.

Hope this clarifies a few issues.

Thanks

Chad R. Skipper
Blade Software

>It has been my experience that vulnerability testing tools are designed
>to do just that: "Vulnerability Testing" NOT "IDS TESTING". IDS
>Informer, in theory, tries to be an IDS tester, but I've seen too many
>cases were there "pre-packaged" tests were munged in one way or
>another. In several cases they failed to actually establish a session
>before launching a stateful attack. Or in one buffer overflow, they
>didn't actually launch the overflow. Another case launched the first
>half an exploit, but not the second half. I realize that the guys at
>Blade have been trying to correct a lot of these issues, but I'm always
>a little skeptical. Once bitten twice shy I guess.
>
>Tools like these are an okay start, but they'll never truly test your
>IDS the way using the real exploit would, because they're not always
>trustworthy. If your testing tool ever does not trigger an alarm on
>your IDS, the first thing to do would be to run the real exploit. Also,
>just using a tool like IDS Informer doesn't mean you shouldn't still do
>things such as pipe it through fragroute, or try other evasion
>techniques.
>
>While your first run through would be difficult without one of these
>testing tools, subsequent runs would be easier. You could either script
>everything, or use a tool like tcpdump and tcpreplay to record and
>replay the attacks onto a static wire later on, giving you a great
>knowledge base of how these exploits work in the process.
>
>-dave
>
>
>Delroy Gooden wrote:
>>
>> Hi,
>>
>> Have been thinking about buying IDS Informer to test my ids rather than
>> using Cybercop Scanner as it is defunkt, does anyone use the
application or
>> have any comments?
>>
>> Delroy
>>
>> _________________________________________________________________
>> MSN Photos is the easiest way to share and print your photos:
>> http://photos.msn.com/support/worldwide.aspx
>
>--
>David W. Goodrum
>Senior Systems Engineer
>NFR Security
>Mobile: 703.731.3765
>Office: 240.747.3425
>



Relevant Pages

  • Re: Testing IDS with tcpreplay
    ... why is that harder to accomplish with Metasploit than with tcpreplay? ... you want to generate the attack in as many flavors and random ... to throw packets at your IDS probe... ...
    (Focus-IDS)
  • RE: IDS Informer
    ... Subject: IDS Informer ... The main difference with IDS Informer and other testing tools (such ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... quickly answer you question we can target any ip address. ... on the same segment as the IDS without harming that machine. ... I was looking at the IDS Informer and noticed ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... The main difference with IDS Informer and other testing tools (such ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... That being said what we inject on the wire is ... packets as if it did are injected on the wire along with the attack), ... library in IDS informer. ... Subject: IDS Informer ...
    (Focus-IDS)