Re: IDS Evaluation

From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: 03/29/05

  • Next message: Raffael Marty: "Re: IDS Evaluation"
    Date: Mon, 28 Mar 2005 23:16:32 -0500
    To: Ron Gula <rgula@tenablesecurity.com>
    
    

    We've been using Core Impact as an exploit tool (as opposed to
    vulnerability scanning). It's not free, but it's really easy to use,
    and does some very cool stuff, and helps us show the effectiveness of
    IPS. We actually include a limited license copy of Core Impact with our
    Evaluation boxes that we ship so people can easily evaluate our IPS
    products. (Limited in terms of, it can only exploit 1 IP address, which
    happens to be a vulnerable server we include in the demo for Core to
    exploit.) It's really great for showing the effectiveness of IPS, when
    you remove the IPS from the middle and let Core succeed in compromising
    the victim. I think somebody already mentioned it on the list, but
    Metasploit is also very good. I have not used Canvas yet.

    -dave

    -- 
    David W. Goodrum
    (nfr)(security)
    http://www.nfr.com
    Ron Gula wrote:
    > At 12:27 PM 3/25/2005, you wrote:
    >
    >> Hi,
    >>
    >> i'm developing a project which consist on evaluating IDSs. I'm thinking
    >> of using nessus as a tool to test the number of malicious packets sent
    >> to the ids, and the number of good ones, in order to take statistics
    >> about the accuracy of the ids. Any idea about this?
    >>
    >> Thanks for your help.
    >
    >
    > Nessus has a lot of anti-ids features which still bypass some systems
    > today. If you don't have a UNIX box to run Nessus, you could also try
    > the NeWT scanner which does not have a cost for Class-C usage.
    >
    > However, when you run vuln scanners against an IDS, you only really
    > test how an IDS detects vuln scanning. You should also add into you
    > test suite tools which conduct active exploitation. There is a big
    > difference between testing a system to see if it's version of bind
    > is vulnerable, and actually executing an overflow. What the IDS
    > reports in both cases can be astonishingly clear, or very disappointing.
    >
    > Ron Gula, CTO
    > Tenable Network Security
    > http://www.tenablesecurity.com
    > http://www.nessus.org
    >
    >
    >
    >
    >
    >
    > -------------------------------------------------------------------------- 
    >
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from 
    > CORE IMPACT.
    > Go to 
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
    > learn more.
    > -------------------------------------------------------------------------- 
    >
    >
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Raffael Marty: "Re: IDS Evaluation"

    Relevant Pages

    • Re: RE: IDS testing tools
      ... Nessus is a bad choice to test IDS as it is a vulnerability scanner. ... >Find out quickly and easily by testing it with real-world attacks from CORE ... >with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Value of IDS, ROI
      ... ROI in the operational risk arena. ... >>and possibly capable of showing a positive ROI, I wouldn't say that an IDS ... >>Your CIO should ultimately be concerned in preventing attacks, ... >>CORE IMPACT. ...
      (Focus-IDS)
    • Re: How to choose an IDS/FW MSS provider
      ... people's IDS technologies, their opaqueness drives a constant nagging ... If a "signature" is written properly then evading it will be ... ISS has had at least ... >> from CORE IMPACT. ...
      (Focus-IDS)
    • Re: How to choose an IDS/FW MSS provider
      ... people's IDS technologies, their opaqueness drives a constant nagging ... If a "signature" is written properly then evading it will be ... ISS has had at least ... >> from CORE IMPACT. ...
      (Focus-IDS)
    • RE: IDS event filtering
      ... It is important to avoid tuning out real attacks when they happen by having over-pruned the inside attack tree... ... > ingress - egress firewall rules, IDS configs, or whatever. ... > CORE IMPACT. ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)