Re: IDS Testing tool

From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 06/14/04

  • Next message: K G: "RE: Dragon Vs. Sourcefire NIDS"
    Date: Sun, 13 Jun 2004 19:53:11 -0400
    To: focus-ids@securityfocus.com
    
    

    At 10:58 AM 6/12/2004 -0700, ADT wrote:
    >On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
    ><anton@chuvakin.org> wrote:
    > >
    > > >Is anyone aware of any open source equivalent of Blade's IDS Informer
    > > >tool to test IDSes? I am aware that TCPReplay can be used to test IDSes
    > > >but then we will need to make actual attacks at least once to capture
    > > >the traffic. Any help would be appreciated.
    > >
    > > What's wrong with just blasting it with a vuln scanner? Nessus will
    > > generate a lot of noise in most NIDSs and can even be tweaked for more
    > > "noisyness"
    >
    >Well think about it... a good IDS which limits the number of false
    >positives should detect the actual exploit. A vulnerability scanner
    >is supposed to check for the vulnerability, *not* to run the actual
    >exploit, b/c then it may crash/root/etc your own box. Hence, an
    >exploit should look different then a vulnerability check. Therefore,
    >using Nessus or other vulnerability scanners are a crappy way of
    >testing an IDS. (Of course if you've got a crappy IDS, then perhaps a
    >crappy test methodology is ok.)
    >
    >With that in mind, you can either use Blade's IDS Informer or roll
    >your own solution using tcpreplay.

    I'd say using vuln scanners is far from crappy, but surely not complete.
    It depends what you are looking for really. Vulnerability scanners do a
    wide variety of things from port scanning, host enumeration, TCP/IP
    fingerprinting, service probes (like SNMP, RPC, Netbios, .etc) and so on.
    Of course, none of those may constitute an actual intrusion, but 80-90%
    of most NIDS tend to focus on those activities.

    If you really want to see exploits in action, I would recommend using
    CORE, Metasploit, Fluxay, or some other tool that allows you to coax
    root or admin from an active exploit. Finding a bunch of remote root
    exploits on packetstorm, installing the vulnerable versions of those
    daemons on your target system and then launching the exploit in front
    of your NIDS is something everyone should do once or twice. You'll be
    very surpirsed what your NIDS see and don't see.

    I'd also recommend you try to bind a shell to some obscure high port with
    netcat and see how your NIDS reacts. Lots of UNIX and W2K attacks invoke
    a listener on some other port. If you really want to make it difficult,
    put the listener on port 80.

    And lastly, using TCPreplay with the traces from Defcon CTF or the
    honeynet challenge can also present your NIDS with a source of traffic.

    Ron Gula, CTO
    Tenable Network Security
    http://www.tenablesecurity.com

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: K G: "RE: Dragon Vs. Sourcefire NIDS"

    Relevant Pages

    • Re: IDS Testing tool
      ... >>using Nessus or other vulnerability scanners are a crappy way of ... >wide variety of things from port scanning, host enumeration, TCP/IP ... >of your NIDS is something everyone should do once or twice. ...
      (Focus-IDS)
    • Re: Replacing LAT terminal servers
      ... mainly for a shop floor application running some 20-50 barcode scanners ... Both the Dec Terminal Servers and the Lantronix can be managed through ... With a TCP/IP raw socket connected by reverse Telnet, ... reverse Telnet port after a network event, ...
      (comp.os.vms)
    • Re: barcode
      ... My point is that throwing ZPL code at IP port based ... Generic/Text Only drivers works well using SET PRINTER TO NAME ... The current setup is 7 RF scanners into one base station attached to a COM ... port, which can be expanded to 10 scanners per COM port. ...
      (microsoft.public.fox.programmer.exchange)
    • Re: Iptables for Linux
      ... > some things you know you don't want (with a default-accept policy), ... With iptables you cannot set REJECT as default policy. ... You would have to explicitly ACCEPT and REJECT every single port (or port ... If you DROP and ACCEPT certain ports, scanners know you are firewalled. ...
      (comp.security.firewalls)
    • Re: Using scanner with FreeBSD. A nightmare!
      ... Warren Block wrote: ... No scanners were identified. ... port 1 powered ... What do you have configured in your kernel config file, to get this usb stuff working? ...
      (freebsd-questions)