IDS mailing list archives
Testing IDS/IPS Signatures
From: "Securecatalyst" <securecatalyst () hotmail com>
Date: Thu, 27 May 2004 18:30:44 -0800
Hi All, I want to learn if anyone knows any particular tool or product to test and validate IDS/IPS rules and signatures? I know Snot / Stick / Mucus-1 can do a good job however they can not test the signatures when the IDS/IPS does a stateful-inspection. They simpy import the SNORT signatures into packet and inject into the NW to test the rules. However, they do not establish TCP 3-way handshake and stateful engines (specifically for TCP, not UDP/ICMP) simply ignore them. I think Blade Software have some good marketing documents but I also heard that their signature set is not complete to test all. Anybody any experience with this? Further, is there any other way to validate the IDS/IPS signature other than running the attack itself against a vulnerable machine? I think vulnerability assesment tools does not help, due to similar reasons with Snot/Stick. I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure verifies their signatures? Or, do they really verify? If they did, they wouldn't be this many false-positives, right? I know some vendors simply take SNORT signatures and put it into their SNORT modified engine but I am getting lots of complaints around SNORT's noise and false positives. Your input will be highly appreciated. Cheers, --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Hi, I want to study IPS, (continued)
- RE: Hi, I want to study IPS (infor) urko zurutuza (May 13)
- RE: Hi, I want to study IPS Velasquez Venegas Jaime Omar (May 13)
- Re: Hi, I want to study IPS Greg Martin (May 14)
- RE: Hi, I want to study IPS Omar Herrera (May 16)
- Re: Hi, I want to study IPS Raistlin (May 22)
- Re: Hi, I want to study IPS Greg Martin (May 25)
- Re: Hi, I want to study IPS Stefano Zanero (May 25)
- RE: Hi, I want to study IPS Ingevaldson, Dan (ISS Atlanta) (May 14)
- RE: Hi, I want to study IPS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 25)
- Re: Hi, I want to study IPS Ali Rajput (May 26)
- Testing IDS/IPS Signatures Securecatalyst (May 28)
- Re: Testing IDS/IPS Signatures Andrea Barisani (May 28)
- Re: Testing IDS/IPS Signatures Ron Gula (May 28)
- Re: Testing IDS/IPS Signatures ravivsn (May 31)
- Re: Hi, I want to study IPS Ali Rajput (May 26)