IDS mailing list archives
Re: Test tools for IDS
From: Greg Shipley <gshipley () neohapsis com>
Date: Tue, 30 Sep 2003 04:17:09 -0500 (CDT)
On Fri, 26 Sep 2003, Raj Ghosh wrote:
Are there any good test suites available to test the IDS products for intrusion coverage. A few I am looking at are 1) Nessus scanner 2) IDS Informer
[I've been on this list too long. :) ] Here we go... Raj, The short version is, in most scenarios you probably won't get the results you are looking for by running a VA tool "against" a NIDS. You also should consider the differences between running attacks against a NIDS and generating background traffic. IMHO, you want (need?) to do both. However, MUCH of these topics have been discussed, at great length sometimes, in years past on this very list. Specifically, you might want to check out this post: http://archives.neohapsis.com/archives/sf/ids/2002-q1/0081.html ...and the thread that starts here: http://archives.neohapsis.com/archives/sf/ids/2002-q4/0023.html --------------- I've always felt that running real exploit code against real vulnerable systems, combined with injecting a myriad of Layer-7 accurate traffic, proves to be the best testbed (short of a live network, that is). We baked much of that thinking into our first version of OSEC NIDS testing (see http://osec.neohapsis.com), which could serve as a reference point in your own efforts should you find the criteria useful. But in short, if you need to go with a tool (over exploit code) you're probably better off going with something like IDS Informer as opposed to something like Nessus. You can toss in things like fragroute if you want to make it interesting. As for background traffic generation, I've found that nothing matches CAW Network's (now Spirent) gear. Expensive, but worth it if you are going to do serious testing. Hope this helps, -Greg --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- Test tools for IDS Raj Ghosh (Sep 26)
- RE: Test tools for IDS lists for armor-plated.com (Sep 29)
- RE: Test tools for IDS Faiz Ahmad Shuja (Sep 29)
- RE: Test tools for IDS Brian Laing (Sep 29)
- Re: Test tools for IDS Greg Shipley (Sep 30)
- <Possible follow-ups>
- Re: Test tools for IDS Muhammad Faisal Rauf Danka (Sep 29)
- Re: Test tools for IDS Ivan Coric (Sep 29)
- Re: Test tools for IDS Ravi Kumar (Sep 29)
- Re: Test tools for IDS Darren H. Mutz (Sep 30)