Re: Testing IDS/IPS Signatures
From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 05/28/04
- Previous message: Andrea Barisani: "Re: Testing IDS/IPS Signatures"
- In reply to: Securecatalyst: "Testing IDS/IPS Signatures"
- Next in thread: ravivsn_at_www.rocsys.com: "Re: Testing IDS/IPS Signatures"
- Reply: ravivsn_at_www.rocsys.com: "Re: Testing IDS/IPS Signatures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 May 2004 13:21:04 -0400 To: <focus-ids@securityfocus.com>
Anyone testing an IPS should attempt to use the denial of
service features in Nessus and NeWT to see what is in fact
being prevented. Nessus and NeWT contain a wide variety of
DOS checks which perform fairly invasive tests.
Nessus and NeWT also have a variety of anti-NIDS evasion
features built in. For example, you can perform a variety of
web vulnerability scans, and have them use URL encoding,
TCP desynchronized packets and fragmentation. Although using
a vulnerability scanner to test a NIDS is an imperfect test,
comparing what a NIDS picks up when evasion is and isn't used
during a scan is extremely enlightening.
Most people know that Nessus can be obtained from
www.nessus.org but they may not know that NeWT is also available
as a complimentary download from www.tenablesecurity.com.
NeWT is available for Windows XP/2000 and can scan any machine
on the local "Class C" network. It performs the same security
checks as Nessus, but has it's own interface, reporting and
usability features. NeWT Pro is the commercial variant which
has no local "Class C" scan limitation. If you have an IDS or
IPS in a lab or on a small DMZ, you can use NeWT to launch
your tests from any available Windows laptop or server.
Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
At 06:30 PM 5/27/2004 -0800, Securecatalyst wrote:
>Hi All,
>
>I want to learn if anyone knows any particular tool or product to test and
>validate IDS/IPS rules and signatures?
>
>I know Snot / Stick / Mucus-1 can do a good job however they can not test
>the signatures when the IDS/IPS does a stateful-inspection. They simpy
>import the SNORT signatures into packet and inject into the NW to test the
>rules. However, they do not establish TCP 3-way handshake and stateful
>engines (specifically for TCP, not UDP/ICMP) simply ignore them.
>
>I think Blade Software have some good marketing documents but I also heard
>that their signature set is not complete to test all. Anybody any experience
>with this?
>
>Further, is there any other way to validate the IDS/IPS signature other than
>running the attack itself against a vulnerable machine? I think
>vulnerability assesment tools does not help, due to similar reasons with
>Snot/Stick.
>
>I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure
>verifies their signatures? Or, do they really verify? If they did, they
>wouldn't be this many false-positives, right? I know some vendors simply
>take SNORT signatures and put it into their SNORT modified engine but I am
>getting lots of complaints around SNORT's noise and false positives.
>
>Your input will be highly appreciated.
>
>Cheers,
>
>---------------------------------------------------------------------------
>
>---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Andrea Barisani: "Re: Testing IDS/IPS Signatures"
- In reply to: Securecatalyst: "Testing IDS/IPS Signatures"
- Next in thread: ravivsn_at_www.rocsys.com: "Re: Testing IDS/IPS Signatures"
- Reply: ravivsn_at_www.rocsys.com: "Re: Testing IDS/IPS Signatures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
