Re: IDS Evaluation
From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 03/29/05
- Previous message: sam f. stover: "Re: IDS Evaluation"
- In reply to: Ron Gula: "Re: IDS Evaluation"
- Next in thread: Matt Foster: "RE: IDS Evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 23:16:32 -0500 To: Ron Gula <rgula@tenablesecurity.com>
We've been using Core Impact as an exploit tool (as opposed to
vulnerability scanning). It's not free, but it's really easy to use,
and does some very cool stuff, and helps us show the effectiveness of
IPS. We actually include a limited license copy of Core Impact with our
Evaluation boxes that we ship so people can easily evaluate our IPS
products. (Limited in terms of, it can only exploit 1 IP address, which
happens to be a vulnerable server we include in the demo for Core to
exploit.) It's really great for showing the effectiveness of IPS, when
you remove the IPS from the middle and let Core succeed in compromising
the victim. I think somebody already mentioned it on the list, but
Metasploit is also very good. I have not used Canvas yet.
-dave
-- David W. Goodrum (nfr)(security) http://www.nfr.com Ron Gula wrote: > At 12:27 PM 3/25/2005, you wrote: > >> Hi, >> >> i'm developing a project which consist on evaluating IDSs. I'm thinking >> of using nessus as a tool to test the number of malicious packets sent >> to the ids, and the number of good ones, in order to take statistics >> about the accuracy of the ids. Any idea about this? >> >> Thanks for your help. > > > Nessus has a lot of anti-ids features which still bypass some systems > today. If you don't have a UNIX box to run Nessus, you could also try > the NeWT scanner which does not have a cost for Class-C usage. > > However, when you run vuln scanners against an IDS, you only really > test how an IDS detects vuln scanning. You should also add into you > test suite tools which conduct active exploitation. There is a big > difference between testing a system to see if it's version of bind > is vulnerable, and actually executing an overflow. What the IDS > reports in both cases can be astonishingly clear, or very disappointing. > > Ron Gula, CTO > Tenable Network Security > http://www.tenablesecurity.com > http://www.nessus.org > > > > > > > -------------------------------------------------------------------------- > > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to > learn more. > -------------------------------------------------------------------------- > > -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- Previous message: sam f. stover: "Re: IDS Evaluation"
- In reply to: Ron Gula: "Re: IDS Evaluation"
- Next in thread: Matt Foster: "RE: IDS Evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
