Re: IDS Testing tool

From: ADT (synfinatic_at_gmail.com)
Date: 06/12/04

Next message: Ilija Basicevic: "whisker page and nidsbench page unaccessible"

Previous message: crayola_at_optonline.net: "Dragon Vs. Sourcefire NIDS"
In reply to: Anton A. Chuvakin: "Re: IDS Testing tool"
Next in thread: Ron Gula: "Re: IDS Testing tool"
Reply: Ron Gula: "Re: IDS Testing tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 12 Jun 2004 10:58:01 -0700
To: "Anton A. Chuvakin" <anton@chuvakin.org>

On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
<anton@chuvakin.org> wrote:
>
> >Is anyone aware of any open source equivalent of Blade's IDS Informer
> >tool to test IDSes? I am aware that TCPReplay can be used to test IDSes
> >but then we will need to make actual attacks at least once to capture
> >the traffic. Any help would be appreciated.
>
> What's wrong with just blasting it with a vuln scanner? Nessus will
> generate a lot of noise in most NIDSs and can even be tweaked for more
> "noisyness"

Well think about it... a good IDS which limits the number of false
positives should detect the actual exploit. A vulnerability scanner
is supposed to check for the vulnerability, *not* to run the actual
exploit, b/c then it may crash/root/etc your own box. Hence, an
exploit should look different then a vulnerability check. Therefore,
using Nessus or other vulnerability scanners are a crappy way of
testing an IDS. (Of course if you've got a crappy IDS, then perhaps a
crappy test methodology is ok.)

With that in mind, you can either use Blade's IDS Informer or roll
your own solution using tcpreplay.

-Aaron

---------------------------------------------------------------------------

Next message: Ilija Basicevic: "whisker page and nidsbench page unaccessible"

Previous message: crayola_at_optonline.net: "Dragon Vs. Sourcefire NIDS"
In reply to: Anton A. Chuvakin: "Re: IDS Testing tool"
Next in thread: Ron Gula: "Re: IDS Testing tool"
Reply: Ron Gula: "Re: IDS Testing tool"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: IDS Testing tool
... my post from jul last year / topic ids testing tools: ... >Is anyone aware of any open source equivalent of Blade's IDS Informer ... I am aware that TCPReplay can be used to test IDSes ... > living in a cardboard box to someone living on a park bench." ...
(Focus-IDS)
Re: Testing IDS with tcpreplay
... why is that harder to accomplish with Metasploit than with tcpreplay? ... If you are testing you IDS you'd like to know that it accurately detects ... Also what about attacks that Metasploit ...
(Focus-IDS)
Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk
... I didn't mean to imply that tcpreplay was not useful, ... some pcaps in front of a device and seeing what it reports. ... > testing of IDS or IPS. ... > Find out quickly and easily by testing it with real-world attacks from ...
(Focus-IDS)
Re: IDS
... What you want is a vulnerability scanner. ... a network based VS is difficult to accomplish. ... some that depend on having administrative access to the scanned machines; ... Test Your IDS ...
(Focus-IDS)
Re: Test scripts for NIDS
... If you're using tcpreplay for performance testing, ... >> packets and they are being dropped? ... > the IDS catches everything. ... > increasing speeds until the IDS output changes (usually by failing to detect ...
(Pen-Test)