Re: Evaluating IDS



Hi,
I would go about testing my IDS in following way .
Assuming u have the test network and u can play
around, I would take the set of application most used
in my network and if feasible create one server each
for the each application we are using. Create a
network with 3 Routes to the internal network via each
iDS and have the 3 Attack machines .
Internal N/w----IDS/IPS 1----Attack Machine 1
----IDS/IPS 2----Attack Machine 2
---- IDS/IPS 3---Attack Machine 3
So steps would be
1. Create the test setup with the application we are
using in the production or Segment which we are trying
to protect. Assuming Internet is the threat as well as
Internal Employee is a threat.
2. Run Pentest on the Network from the Internet ,
Assuming the network being protected by IDS IPS is
internal and the External side is the ur test
Attacker's machine. Please keep the default signature
set, on all the IDS/IPS signatures.
3. See which all ports are open and exploitable with
NMAP/Nessus Combo. Alos u can use Amap and paros
www.parosproxy.org/faq.shtml . (Make sure u have
libwhisker and Hydra installed on the same machine as
nessus.)
4. Download the exploit and execute.

While u do above test ,look for
1. False positive on the each IDS, correct attack
versus the incorrectly alerted attacks.
2. Look for the not identfied attacks false negatives
3. Look at the logging capacity and detection capacity
on the Peak load, say box is 1 Gb through put , put
the box under stress and see.
4. Randomly choose the list of attacks and mix with
the above stess testing. say 10% bad traffic and 90%
normal traffic at line rate of 1 Gbps, u should see
actual box sending 900 Mbps and 100 Mbps being
dropped. Assuming every UDP/TCP session is same
payload and packet size.
5. Check the box with fragroute to evade the signature
detection mechanism.

Hope this helps.
TCP-FIN



--- pentesticle@xxxxxxxxx wrote:

I am preparing to evaluate three IDS's on a test
network. My intent is to replay normal traffic on
the network and have each vendor run their own
system to show the capabilities, then I would like
to run exploits across the network on certain
machines to see how the system detects the exploits
and lastly disable their rule for a particular virus
to simulate a 1 day virus propogation and see how
the systems detect and react to it moving across the
test network.

Does anyone have any experience conducting similar
evaluations?

Any recommendation as to what type of exploits to
run on the systems to get the best results from the
IDS's?

Lastly anyone know where I can get a virus to use
and any recommendations in that area? I was
considering possibly using a honeynet setup for the
virus to propogate to to simulate many systems at
once, but am not 100% certain yet.

Any recommendations or guidance is much appreciated.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to

http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.

------------------------------------------------------------------------




__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Finding multi-homed, internet connected, systems as potential point-of-entry.
    ... It uses ICMP and may or may not work depending on how the local network is set up. ... that are able to directly connect to the internet ... -Detect for the response of this message on the spoofed address at the ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
  • Re: Evolution of security threats and exploits...
    ... find an exploitable vulnerability accessible from the Internet. ... and neglect security for its sake. ... the internal network of most companies aren't well protected. ... Client side attacks. ...
    (Pen-Test)
  • RE: Finding multi-homed, internet connected, systems as potential point-of-entry.
    ... It uses ICMP and may or may not work depending on how the local network is set up. ... > -Send a spoofed (spoof an internet address under our control) message ... > Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: Biometrics
    ... I'd feel safer on an OS designed as such, not as a network client - ... the Internet is a world of strangers. ... Compare this Windows Vista: if someone ... lot of information about attacks from this data. ...
    (microsoft.public.security)
  • Re: host-based ids evaluation
    ... I agree with Toby's opinion on IDS terminology. ... these are sometimes referred to as "Network Node IDS". ... -> Logfile surveillance (classic HIDS) ... prevent most attacks from being performed if the target application does not ...
    (Focus-IDS)