Re: IDS Testing tool

From: Ron Gula (
Date: 06/14/04

  • Next message: K G: "RE: Dragon Vs. Sourcefire NIDS"
    Date: Sun, 13 Jun 2004 19:53:11 -0400

    At 10:58 AM 6/12/2004 -0700, ADT wrote:
    >On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
    ><> wrote:
    > >
    > > >Is anyone aware of any open source equivalent of Blade's IDS Informer
    > > >tool to test IDSes? I am aware that TCPReplay can be used to test IDSes
    > > >but then we will need to make actual attacks at least once to capture
    > > >the traffic. Any help would be appreciated.
    > >
    > > What's wrong with just blasting it with a vuln scanner? Nessus will
    > > generate a lot of noise in most NIDSs and can even be tweaked for more
    > > "noisyness"
    >Well think about it... a good IDS which limits the number of false
    >positives should detect the actual exploit. A vulnerability scanner
    >is supposed to check for the vulnerability, *not* to run the actual
    >exploit, b/c then it may crash/root/etc your own box. Hence, an
    >exploit should look different then a vulnerability check. Therefore,
    >using Nessus or other vulnerability scanners are a crappy way of
    >testing an IDS. (Of course if you've got a crappy IDS, then perhaps a
    >crappy test methodology is ok.)
    >With that in mind, you can either use Blade's IDS Informer or roll
    >your own solution using tcpreplay.

    I'd say using vuln scanners is far from crappy, but surely not complete.
    It depends what you are looking for really. Vulnerability scanners do a
    wide variety of things from port scanning, host enumeration, TCP/IP
    fingerprinting, service probes (like SNMP, RPC, Netbios, .etc) and so on.
    Of course, none of those may constitute an actual intrusion, but 80-90%
    of most NIDS tend to focus on those activities.

    If you really want to see exploits in action, I would recommend using
    CORE, Metasploit, Fluxay, or some other tool that allows you to coax
    root or admin from an active exploit. Finding a bunch of remote root
    exploits on packetstorm, installing the vulnerable versions of those
    daemons on your target system and then launching the exploit in front
    of your NIDS is something everyone should do once or twice. You'll be
    very surpirsed what your NIDS see and don't see.

    I'd also recommend you try to bind a shell to some obscure high port with
    netcat and see how your NIDS reacts. Lots of UNIX and W2K attacks invoke
    a listener on some other port. If you really want to make it difficult,
    put the listener on port 80.

    And lastly, using TCPreplay with the traces from Defcon CTF or the
    honeynet challenge can also present your NIDS with a source of traffic.

    Ron Gula, CTO
    Tenable Network Security



  • Next message: K G: "RE: Dragon Vs. Sourcefire NIDS"