Re: IDS Testing tool

From: typhon --- (securecatalyst_at_hotmail.com)
Date: 06/16/04

  • Next message: BLADE Software - Chris Ralph: "RE: IDS Testing tool"
    To: rgula@tenablesecurity.com, focus-ids@securityfocus.com
    Date: Tue, 15 Jun 2004 15:02:21 -0700
    
    

    So, all in all, testing the IDP/IPS products, especially in in-line mode is
    quite a challenge. There are some tools available out there like Blade's
    IDSInformer (which only has around 600 signatures and most of them are DoS,
    dDoS, Backdoor Detection rules), Core IMpact (Only has around 120 actual
    exploits), CANVAS (even less exploits)...

    It seems that a good IPS testing product with full blend of features and
    complete attack list is what market needs... Attention entrepreneurial
    minds!

    I have not heard about the Fluxay, what about it?

    Thanks, M/

    >From: Ron Gula <rgula@tenablesecurity.com>
    >To: focus-ids@securityfocus.com
    >Subject: Re: IDS Testing tool
    >Date: Sun, 13 Jun 2004 19:53:11 -0400
    >
    >At 10:58 AM 6/12/2004 -0700, ADT wrote:
    >>On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
    >><anton@chuvakin.org> wrote:
    >> >
    >> > >Is anyone aware of any open source equivalent of Blade's IDS Informer
    >> > >tool to test IDSes? I am aware that TCPReplay can be used to test
    >>IDSes
    >> > >but then we will need to make actual attacks at least once to capture
    >> > >the traffic. Any help would be appreciated.
    >> >
    >> > What's wrong with just blasting it with a vuln scanner? Nessus will
    >> > generate a lot of noise in most NIDSs and can even be tweaked for more
    >> > "noisyness"
    >>
    >>Well think about it... a good IDS which limits the number of false
    >>positives should detect the actual exploit. A vulnerability scanner
    >>is supposed to check for the vulnerability, *not* to run the actual
    >>exploit, b/c then it may crash/root/etc your own box. Hence, an
    >>exploit should look different then a vulnerability check. Therefore,
    >>using Nessus or other vulnerability scanners are a crappy way of
    >>testing an IDS. (Of course if you've got a crappy IDS, then perhaps a
    >>crappy test methodology is ok.)
    >>
    >>With that in mind, you can either use Blade's IDS Informer or roll
    >>your own solution using tcpreplay.
    >
    >I'd say using vuln scanners is far from crappy, but surely not complete.
    >It depends what you are looking for really. Vulnerability scanners do a
    >wide variety of things from port scanning, host enumeration, TCP/IP
    >fingerprinting, service probes (like SNMP, RPC, Netbios, .etc) and so on.
    >Of course, none of those may constitute an actual intrusion, but 80-90%
    >of most NIDS tend to focus on those activities.
    >
    >If you really want to see exploits in action, I would recommend using
    >CORE, Metasploit, Fluxay, or some other tool that allows you to coax
    >root or admin from an active exploit. Finding a bunch of remote root
    >exploits on packetstorm, installing the vulnerable versions of those
    >daemons on your target system and then launching the exploit in front
    >of your NIDS is something everyone should do once or twice. You'll be
    >very surpirsed what your NIDS see and don't see.
    >
    >I'd also recommend you try to bind a shell to some obscure high port with
    >netcat and see how your NIDS reacts. Lots of UNIX and W2K attacks invoke
    >a listener on some other port. If you really want to make it difficult,
    >put the listener on port 80.
    >
    >And lastly, using TCPreplay with the traces from Defcon CTF or the
    >honeynet challenge can also present your NIDS with a source of traffic.
    >
    >Ron Gula, CTO
    >Tenable Network Security
    >http://www.tenablesecurity.com
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >---------------------------------------------------------------------------
    >
    >---------------------------------------------------------------------------
    >

    _________________________________________________________________
    MSN Toolbar provides one-click access to Hotmail from any Web page FREE
    download! http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/

    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------


  • Next message: BLADE Software - Chris Ralph: "RE: IDS Testing tool"

    Relevant Pages

    • Re: IDS Testing tool
      ... I'd say using vuln scanners is far from crappy, ... wide variety of things from port scanning, host enumeration, TCP/IP ... of your NIDS is something everyone should do once or twice. ...
      (Focus-IDS)
    • RE: Vulnerability scanners:
      ... Mrcorp ... Subject: Vulnerability scanners: ... Since the scan included both a port scan,but attempts at various GET ... requests and directories, even though port 80 was closed. ...
      (Security-Basics)