Evaluating IDS



I am preparing to evaluate three IDS's on a test network. My intent is to replay normal traffic on the network and have each vendor run their own system to show the capabilities, then I would like to run exploits across the network on certain machines to see how the system detects the exploits and lastly disable their rule for a particular virus to simulate a 1 day virus propogation and see how the systems detect and react to it moving across the test network.

Does anyone have any experience conducting similar evaluations?

Any recommendation as to what type of exploits to run on the systems to get the best results from the IDS's?

Lastly anyone know where I can get a virus to use and any recommendations in that area? I was considering possibly using a honeynet setup for the virus to propogate to to simulate many systems at once, but am not 100% certain yet.

Any recommendations or guidance is much appreciated.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------