IDS mailing list archives
Re: IDS/IPS testing methodology
From: Gianpiero Porchia <gianpiero.porchia () gmail com>
Date: Wed, 13 Oct 2004 10:58:29 +0200
Hi, I worked on different tests on different NIPS technologies. IMHO the NIPS testing falls in the the common field of Firewall and IDS test, or I prefer to say it's a level 7 firewall test. The test is strictly related to your network environment, and should measure: - Functionalities: how the NIPS performs its job, ie if it detects attacks, and how it protect your network from them; - Performance: how the NIPS to its job in stress conditions (throughput, connectioons per second, application transaction per second, latency, etc. etc.); - HA: how the NIPS service is always available (which lavels of HA they have); - Management: how is easy to manage the system, and which informations you get from them; - Security: how the NIPS is strong, ie how it resists on attacks direct to itself, or how it resists to bad traffic Your best starting points are RFC 3511, and OSEC (http://osec.neohapsis.com). I suggest you to capture your network traffic using a sniffer, for 2-3 days, and then use a traffic generator like Spirent Web Avalanche/Reflector to replay it, adding also crafted traffic (Avalanche is able to create HTTP, SMTP, POP3, DNS, RTSP, Telnet, etc.etc.), and injected well known attacks using Blade IDS Informer, to perform the tests. Pay great attention on the bugs that the NIPS could have (above all in load condition)! You can do that also using black box testing tools. - gian On 9 Oct 2004 21:40:47 -0000, hakked () yahoo com <hakked () yahoo com> wrote:
New to IPS arena and am looking for a documented standard or method for testing IPS technologies in parallel. Have a suite of test tools (nessus, IDS Reformer, metasploit, etc.), and we are able to test the NIDS tools fairly well off a hub, however I'm now concentrating on how to setup the network to be able to test the IPS's in parallel at the same time. This will be an ongoing research project. -j -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- _____ Ing. Gianpiero Porchia Security Consultant ATS - Advanced Telecom Systems S.p.A. Designing, Testing, Managing Network Quality Via Salgari, 17 - 41100 Modena - ITALY Tel +39 059 821332 Fax +39 059 821492 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS/IPS testing methodology hakked (Oct 11)
- Re: IDS/IPS testing methodology Gianpiero Porchia (Oct 13)
- RE: IDS/IPS testing methodology Leandro Reox (Oct 15)