Re: Testing IDS/IPS Signatures

ravivsn_at_www.rocsys.com
Date: 05/29/04

  • Next message: Rishikesh Pande: "Re: Suggestions"
    Date: Sat, 29 May 2004 12:02:23 +0530 (IST)
    To: <rgula@tenablesecurity.com>
    
    

    True, Nessus can help in testing signatures but IMHO, it has limitations.
    All the nasl scripts in Nessus do not really attempt to run exploits, most
    of them are ACT_GATHER_INFO means they look only if particular port is
    opened or checks for an version in the banner received.
    Also to test all the signatures you need systems which has those
    vulnerabilties. If not, Nessus is going to fail to show up the results.

    I have bit experience in testing IDS/IPS signatures. I used Nikto,
    libwhisker and mutate2. Mutate2 is a good tool which really tests anti
    NIDS tactics.

    As far as snot/stick are concerned, they are not intended to test
    signatures. These tools triggers lot of false positives by generating
    packets matching the patterns of snort signatures. In a way these tools do
    help to tune singatures into good shape such that they wont add fire to
    false positives.

     Snot/stick will effect IDS like snort but they fail to influence IPS
    because they lack threee way hand shake and IPS which might have stateful
    inspection will easily block snot generated packets.

    I did some work over this and developed e-snot, which when run on snort
    gave lots of false positives, I can say for almost all signatures there is
    a false positive.

    Best Regards,
    -Ravi
    ROCSYS Technologies Ltd.,
    http://rocsys.com
    mail me to : ravivsn@rocsys.com

    > Anyone testing an IPS should attempt to use the denial of
    > service features in Nessus and NeWT to see what is in fact
    > being prevented. Nessus and NeWT contain a wide variety of
    > DOS checks which perform fairly invasive tests.
    >
    > Nessus and NeWT also have a variety of anti-NIDS evasion
    > features built in. For example, you can perform a variety of
    > web vulnerability scans, and have them use URL encoding,
    > TCP desynchronized packets and fragmentation. Although using
    > a vulnerability scanner to test a NIDS is an imperfect test,
    > comparing what a NIDS picks up when evasion is and isn't used
    > during a scan is extremely enlightening.
    >
    > Most people know that Nessus can be obtained from
    > www.nessus.org but they may not know that NeWT is also available
    > as a complimentary download from www.tenablesecurity.com.
    > NeWT is available for Windows XP/2000 and can scan any machine
    > on the local "Class C" network. It performs the same security
    > checks as Nessus, but has it's own interface, reporting and
    > usability features. NeWT Pro is the commercial variant which
    > has no local "Class C" scan limitation. If you have an IDS or
    > IPS in a lab or on a small DMZ, you can use NeWT to launch
    > your tests from any available Windows laptop or server.
    >
    > Ron Gula, CTO
    > Tenable Network Security
    > http://www.tenablesecurity.com
    >
    >
    >
    > At 06:30 PM 5/27/2004 -0800, Securecatalyst wrote:
    >>Hi All,
    >>
    >>I want to learn if anyone knows any particular tool or product to test
    >> and validate IDS/IPS rules and signatures?
    >>
    >>I know Snot / Stick / Mucus-1 can do a good job however they can not
    >> test the signatures when the IDS/IPS does a stateful-inspection. They
    >> simpy import the SNORT signatures into packet and inject into the NW to
    >> test the rules. However, they do not establish TCP 3-way handshake and
    >> stateful engines (specifically for TCP, not UDP/ICMP) simply ignore
    >> them.
    >>
    >>I think Blade Software have some good marketing documents but I also
    >> heard that their signature set is not complete to test all. Anybody any
    >> experience with this?
    >>
    >>Further, is there any other way to validate the IDS/IPS signature other
    >> than running the attack itself against a vulnerable machine? I think
    >>vulnerability assesment tools does not help, due to similar reasons
    >> with Snot/Stick.
    >>
    >>I particularly wonder how TippingPoint, Intruvert, Toplayer and
    >> OnseSecure verifies their signatures? Or, do they really verify? If
    >> they did, they wouldn't be this many false-positives, right? I know
    >> some vendors simply take SNORT signatures and put it into their SNORT
    >> modified engine but I am getting lots of complaints around SNORT's
    >> noise and false positives.
    >>
    >>Your input will be highly appreciated.
    >>
    >>Cheers,
    >>
    >>---------------------------------------------------------------------------
    >>
    >>---------------------------------------------------------------------------
    >
    >
    > ---------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: Rishikesh Pande: "Re: Suggestions"

    Relevant Pages

    • RE: Testing IDS/IPS Signatures
      ... Just to add a couple of comments on IDS Informer, as it is purpose built to test ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
      (Focus-IDS)
    • RE: Testing IDS/IPS Signatures
      ... can a scanner be used to validate the IDS ... True, Nessus can help in testing signatures but IMHO, it has limitations. ... > service features in Nessus and NeWT to see what is in fact ...
      (Focus-IDS)
    • Re: Testing IDS/IPS Signatures
      ... service features in Nessus and NeWT to see what is in fact ... >validate IDS/IPS rules and signatures? ...
      (Focus-IDS)
    • Re: Snort and Nessus Signature
      ... It is not a simple matter to integrate Nessus & Snort since there are ... information for many of the snort signatures (CVE, BID, descriptions, ... Also, many snort signatures do not have CVE, BID references ...
      (Focus-IDS)
    • RE: Snort and Nessus Signature
      ... > I am doing some research into integrating Snort and Nessus together. ... Not to sure bout the way their signatures are ... Nessus plugin IDs. ...
      (Focus-IDS)