RE: Test tools for IDS

From: Bohling James CONT JBC (james.bohling_at_JBC.JFCOM.MIL)
Date: 09/30/03

  • Next message: Davis, Scott L: "RE: Network hardware IPS"
    Date: Tue, 30 Sep 2003 11:50:46 -0400
    To: "Brian Laing" <brian.laing@blade-software.com>, "Raj Ghosh" <rajghosh@hotmail.com>, <focus-ids@securityfocus.com>
    
    

    "Sneeze" is great for Snort IDS. However I have only used it locally
    for a static snort box. I am in the process of trying to use sneeze
    with the snort IDS rule sets to send false positives to different IDS's.
    I don't think this will work but I am going to attempt it. I don't know
    how well the perl script fabricates the packets. If it does accurately
    then it may well work. If not I will eventually examine the code and
    see what can be tweaked w/o crashing the script.

    "Snot" is supposed to be another good generator using the snort rule set
    as input but I haven't used it. I attempted to but the script wouldn't
    run. I installed the perl modules required but I think the
    documentation is lacking one of the scripts.

    I am using the sneeze on the snort Linux box I am sure it will run on
    the snort windows box, but you have to install the perl interpreter on
    the windows box and include the extension in your fields (forgot the
    technical term) that will allow the box to accept perl. Also the snort
    rule sets may need to be ported over to .txt so that the but possibly
    not. I know this sounds like a lot but it really isn't from the Linux
    side. I had it up and running in 10 minutes (excluding the snort
    install and configuration)

    Thank You,
    James T. Bohling, CCNA, Security+, MCP-Win2k
    Network Security Engineer - JBC CoE
    Joint C4ISR Battle Center (AMSEC)
    116 Lake View Parkway
    Suffolk, VA 23435
    (W) 757-638.4032
    Web: www.jbc.jfcom.mil
    This email was produced and manufactured in America, and is a
    one-of-a-kind original.

    -----Original Message-----
    From: Brian Laing [mailto:brian.laing@blade-software.com]
    Sent: Monday, September 29, 2003 12:55 PM
    To: 'Raj Ghosh'; focus-ids@securityfocus.com
    Subject: RE: Test tools for IDS

    Raj,
            You can take a look at our product IDS informer which allows for
    IDS testing including Inline IPS type testing, many of the IDS vendors
    are finding it a useful application to testing their IDS and using it in
    a sales/consulting environment. You can get an eval at
    www.bladesoftware.net. Drop me a line if you have any questions.

    Brian

    -------------------------------------------------------------------
    Brian Laing
    CTO
    Blade Software
    Cellphone: +1 650.280.2389
    Telephone: +1 650.367.9376
    eFax: +1 650.249.3443
    Blade Software - Because Real Attacks Hurt
    http://www.Blade-Software.com
    -------------------------------------------------------------------
     

    -----Original Message-----
    From: Raj Ghosh [mailto:rajghosh@hotmail.com]
    Sent: Friday, September 26, 2003 3:58 PM
    To: focus-ids@securityfocus.com
    Subject: Test tools for IDS

    Hi,

    Are there any good test suites available to test the IDS products for
    intrusion coverage. A few I am looking at are

    1) Nessus scanner

    2) IDS Informer

    Are there any other freeware or licensed products that anyone has
    experience with?

    TIA,

    Raj

    ------------------------------------------------------------------------

    ---
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance
    Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ------------------------------------------------------------------------
    ---
    ------------------------------------------------------------------------
    ---
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance
    Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ------------------------------------------------------------------------
    ---
    ---------------------------------------------------------------------------
    Captus Networks IPS 4000
    Intrusion Prevention and Traffic Shaping Technology to: 
     - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
     - Automatically Control P2P, IM and Spam Traffic
     - Precisely Define and Implement Network Security & Performance Policies
    FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
    http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
    ---------------------------------------------------------------------------
    

  • Next message: Davis, Scott L: "RE: Network hardware IPS"

    Relevant Pages

    • RE: Host Based IDS Recommendations?
      ... You can use Secure Agent from Cisco, it has 2 versions server and desktop. ... Subject: Host Based IDS Recommendations? ... > Captus Networks IPS 4000 ... > Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • Re: Test tools for IDS
      ... Are there any good test suites available to test the IDS products for intrusion coverage. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ... FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo ...
      (Focus-IDS)
    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • RE: Test tools for IDS
      ... snot, sneeze, stick, fragroute & fragrouter, whisker (& new project ... Subject: Test tools for IDS ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)
    • RE: Test tools for IDS
      ... Subject: Test tools for IDS ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
      (Focus-IDS)