Re: IDS Evaluation

From: Ron Gula (rgula_at_tenablesecurity.com)
Date: 03/28/05

  • Next message: Bob Walder: "Re: New Gigabit IDS report"
    Date: Mon, 28 Mar 2005 12:33:51 -0500
    To: focus-ids@securityfocus.com
    
    

    At 12:27 PM 3/25/2005, you wrote:
    >Hi,
    >
    >i'm developing a project which consist on evaluating IDSs. I'm thinking
    >of using nessus as a tool to test the number of malicious packets sent
    >to the ids, and the number of good ones, in order to take statistics
    >about the accuracy of the ids. Any idea about this?
    >
    >Thanks for your help.

    Nessus has a lot of anti-ids features which still bypass some systems
    today. If you don't have a UNIX box to run Nessus, you could also try
    the NeWT scanner which does not have a cost for Class-C usage.

    However, when you run vuln scanners against an IDS, you only really
    test how an IDS detects vuln scanning. You should also add into you
    test suite tools which conduct active exploitation. There is a big
    difference between testing a system to see if it's version of bind
    is vulnerable, and actually executing an overflow. What the IDS
    reports in both cases can be astonishingly clear, or very disappointing.

    Ron Gula, CTO
    Tenable Network Security
    http://www.tenablesecurity.com
    http://www.nessus.org

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Bob Walder: "Re: New Gigabit IDS report"

    Relevant Pages

    • Re: Worm generating network attack traffic?
      ... You bring up a good point, but not all Nessus checks are ... with benign payloads and check for a known-vulnerable response. ... should be sufficient to generate an IDS alert. ... FWIW, I have found tools such as Core Impact, Metasploit, and Canvas ...
      (Focus-IDS)
    • Re: free hIDS, or system assessment tools
      ... Of course if you plug Nessus and then mention windows, ... check out NeWT 2.1 when we release it later this week. ... And just to bring it back to an IDS discussion, ...
      (Focus-IDS)
    • Re: Best Method(s) for signature verifcation.
      ... > Nessus that means you'll be getting a lot of false positives with it. ... > IDS Inforner, Impact, Nexpose and of course a collection of goodies from ... important thing: look at what your test tool ...
      (Focus-IDS)
    • Re: Remote IDS Testing
      ... > There are many open source vulnerability scanners out there. ... > your ip block with nessus should trigger plenty of alerts. ... >> Could someone point me to a few remote IDS testing locations? ...
      (Focus-IDS)
    • Re: IDS Evaluation
      ... For all the framework-aspects of your testing, there is Thor: ... >>However, when you run vuln scanners against an IDS, you only really ... >>test how an IDS detects vuln scanning. ... >>test suite tools which conduct active exploitation. ...
      (Focus-IDS)