RE: IDS Informer

From: Brian Laing (Brian.Laing@Blade-Software.com)
Date: 10/08/02


From: "Brian Laing" <Brian.Laing@Blade-Software.com>
To: "'David W. Goodrum'" <dgoodrum@nfr.com>, "'Delroy Gooden'" <delroygooden@hotmail.com>
Date: Tue, 8 Oct 2002 07:41:33 -0700


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

David,

The main difference with IDS Informer and other testing tools (such
as vulnerability testing tools) is that IDS Informer is a commercial
tool designed to test the ability of an IDS to detect an event
without an attack actually taking place.

When testing network based IDS with IDS Informer, it is not a
requirement for the target machine to be compromised or even exist in
order for the event to be detected although the transmission method
can determine this. This is not something a vulnerability scanner
can do.

When we create our attacks we run them to completion in our labs
(this is done by IDS developers some of which have worked on major
IDS products). While the attack is happening we have a network
sniffer capturing the entire attack from start to finish. The
captured attack is then stored with a description, all without
changing the packets so as to not to change the attack or the
response to the attack in any way. This also gives us the ability to
monitor the attack to identify if it does anything else when run,
such as hidden exploits within exploits

This process converts the captured packets into a secure format that
can be used by IDS Informers advanced configuration, a security check
is performed each time the attacks are run by IDS Informer to assure
they have not been tampered with in any way, if they have they will
not load. It also allows IDS Informers other features that modify a
number of characteristics of the packets that prevent the attack from
being successful whilst maintaining all of its characteristics which
is why you could see failed GET requests. This is exactly what is
supposed to happen. At no time should an attack ever be successful
on a target system or service from IDS Informer.

We are getting ready to release a major new release of the IDS
Informer attacks which will allow users to send out complete sessions
that simulate either successful or unsuccessful attacks. This means
that if the signature trigger is based on a response from the victim
then it will have that response. IDS that are smart enough to tell
between a successful attack and an unsuccessful attack can be
demonstrated to be working using either of the two attacks.

We and our clients believe that this methodology has significant
benefits when testing including:

1.The ability to use IDS Informer to test IDS in a live production
and evaluation environment, therefore providing a measurement for
ROI;

2. The development time for building target machines and networks is
greatly reduced (and may no longer be a requirement at all);

3. It offers a guaranteed 100% repeatable testing platform for your
IDS with the ability to easily simulate many different scenarios

4.The research time for each attack is reduced dramatically reduced,
once the attack is in our format it can be safely and securely stored
for use time and time again

5.The potential for accidental damage of production systems is
greatly reduced.

Additionally you can use our Attack Developers Kit to send out your
own capture files using our modification capabilities. This will
allow you to replay any bespoke traffic that you wish to test with
once, convert it into our format and then replay it through IDS
Informer allowing you to run it on any network time and time again
modifying the source and destination ip addresses, the attack and
packet injection rate and guaranteeing an exact 100% repeatable test.
This allows for stressing of the IDS management as well as specific
evasion techniques.

With IDS Informer we aim to provide our clients with an extensive
range of IDS testing capabilities all within one easy to use
application. This removes the need to run live unmonitored exploit
code, to have a sacrificial host target and the need to run multiple
operating systems, this all leads to drastically reducing the time
and effort required to effectively test an intrusion detection system
and to prove it's operational effectiveness.

If anyone detects any issues with our attacks please send me a mail
directly and I would be happy to have one of our developers get in
touch with you

- -------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
- -------------------------------------------------------------------

- -----Original Message-----
From: David W. Goodrum [mailto:dgoodrum@nfr.com]
Sent: Sunday, October 06, 2002 5:01 AM
To: Delroy Gooden
Cc: focus-ids@securityfocus.com
Subject: Re: IDS Informer

It has been my experience that vulnerability testing tools are
designed
to do just that: "Vulnerability Testing" NOT "IDS TESTING". IDS
Informer, in theory, tries to be an IDS tester, but I've seen too
many
cases were there "pre-packaged" tests were munged in one way or
another. In several cases they failed to actually establish a
session
before launching a stateful attack. Or in one buffer overflow, they
didn't actually launch the overflow. Another case launched the first
half an exploit, but not the second half. I realize that the guys at
Blade have been trying to correct a lot of these issues, but I'm
always
a little skeptical. Once bitten twice shy I guess.

Tools like these are an okay start, but they'll never truly test your
IDS the way using the real exploit would, because they're not always
trustworthy. If your testing tool ever does not trigger an alarm on
your IDS, the first thing to do would be to run the real exploit.
Also,
just using a tool like IDS Informer doesn't mean you shouldn't still
do
things such as pipe it through fragroute, or try other evasion
techniques.

While your first run through would be difficult without one of these
testing tools, subsequent runs would be easier. You could either
script
everything, or use a tool like tcpdump and tcpreplay to record and
replay the attacks onto a static wire later on, giving you a great
knowledge base of how these exploits work in the process.

- -dave

Delroy Gooden wrote:
>
> Hi,
>
> Have been thinking about buying IDS Informer to test my ids rather
> than using Cybercop Scanner as it is defunkt, does anyone use the
> application or have any comments?
>
> Delroy
>
> _________________________________________________________________
> MSN Photos is the easiest way to share and print your photos:
> http://photos.msn.com/support/worldwide.aspx

- --
David W. Goodrum
Senior Systems Engineer
NFR Security
Mobile: 703.731.3765
Office: 240.747.3425

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1.1

iQA/AwUBPaLunYcqkwDZV2C0EQLzUwCeKugIn0u7+3fNoz8GXswnwq8MdmYAoOVc
2GOZVENpbSqFhI0DryZVoDYa
=0d79
-----END PGP SIGNATURE-----



Relevant Pages

  • RE: IDS Informer
    ... Subject: IDS Informer ... The main difference with IDS Informer and other testing tools (such ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... quickly answer you question we can target any ip address. ... on the same segment as the IDS without harming that machine. ... I was looking at the IDS Informer and noticed ... While the attack is happening we have a network ...
    (Focus-IDS)
  • RE: IDS Informer
    ... That being said what we inject on the wire is ... packets as if it did are injected on the wire along with the attack), ... library in IDS informer. ... Subject: IDS Informer ...
    (Focus-IDS)
  • RE: IDS Testing tool
    ... Testing an in-line IDS is extremely simple if you use IDS Informer, ... Currently the database is limited to around 650 attacks with new attack ... through the Informer Development Kit which will convert virtually any packet ...
    (Focus-IDS)
  • Re: IDS Informer
    ... I would like to respond in kind to your message concerning IDS Informer. ... all but actually send the captured exploit by injecting the attack traffic ... >tcpreplay to record and replay the attacks onto a static wire later on, ...
    (Focus-IDS)