Re: IDS Testing tool
From: ADT (synfinatic_at_gmail.com)
Date: 06/15/04
- Previous message: Keith W. McCammon: "Washington, DC Snort Users Group Meeting - 6/24"
- Maybe in reply to: Arun Vishwanathan: "IDS Testing tool"
- Next in thread: Ron Gula: "RE: IDS Testing tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jun 2004 11:22:18 -0700 To: Tom Arseneault <tarseneault@counterpane.com>
On Mon, 14 Jun 2004 14:00:21 -0700, Tom Arseneault
<tarseneault@counterpane.com> wrote:
>
> I've heard this argument before and while the reasoning sound solid I've
> never seen any one quote examples. Has anyone done the research to
> support this? If so, and it's not under NDA, could they post a link to a
> white paper?
I haven't seen any papers or done any formal research. Mostly just
been personal experiance which is likely to be biased.
> If, as I suspect, the argument is valid and "vulnerability scanner" does
> not equal "IDS tester" the question then comes to would it be possible
> to write NASL scripts that could validly test an IDS? Is the issue with
> the way the current NASL scripts are written or is it something more
> fundamental? I dabble but I'm not trained as a programmer so the subtle
> stuff escapes me. One thing I do know is that these would have to be a
> special class of scripts with big red warnings "Do not live systems,
> your job may crash".
Yes, NASL (or CASL) can be used to write scripts which could test an
IDS. However, you'd have to have a properly configured target system
running the services to "attack" for it to work. Tools like tcpreplay
and IDS Informer can test an IDS w/o a target system.
As for the "Don't test live systems, your job/server may crash.". Yes
this can happen. Some software is written very poorly and sometimes
the vulnerability test is simular enough to the actual exploit to
cause it to crash. Of course, some of it is also a CYA so that you
don't go sue them when you bring down your network b/c you weren't
sufficently warned.
[snip cost/benifit analysis on IDS Informer]
Honestly I don't know what it costs (I don't work for them, nor have I
ever used their product). I'm sure they'd be happy to give you a
quote and provide you all sorts of marketing material to help convince
your boss(es) though. :)
-Aaron
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Keith W. McCammon: "Washington, DC Snort Users Group Meeting - 6/24"
- Maybe in reply to: Arun Vishwanathan: "IDS Testing tool"
- Next in thread: Ron Gula: "RE: IDS Testing tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
