IDS mailing list archives

Re: IDS/IPS testing methodology

From: Gianpiero Porchia <gianpiero.porchia () gmail com>
Date: Wed, 13 Oct 2004 10:58:29 +0200

Hi,

I worked on different tests on different NIPS technologies. IMHO the
NIPS testing falls in the  the common field of Firewall and IDS test,
or I prefer to say it's a level 7 firewall test.
The test is strictly related to your network environment, and should measure:

- Functionalities: how the NIPS performs its job, ie if it detects
attacks, and how it protect your network from them;
- Performance: how the NIPS to its job in stress conditions
(throughput, connectioons per second, application transaction per
second, latency, etc. etc.);
- HA: how the NIPS service is always available (which lavels of HA they have);
- Management: how is easy to manage the system, and which informations
you get from them;
- Security: how the NIPS is strong, ie how it resists on attacks
direct to itself, or how it resists to bad traffic

Your best starting points are RFC 3511, and OSEC (http://osec.neohapsis.com).
I suggest you to capture your network traffic using a sniffer, for 2-3
days, and then use a traffic generator like Spirent Web
Avalanche/Reflector to replay it, adding also crafted traffic
(Avalanche is able to create HTTP, SMTP, POP3, DNS, RTSP, Telnet,
etc.etc.), and injected well known attacks using Blade IDS Informer,
to perform the tests.

Pay great attention on the bugs that the NIPS could have (above all in
load condition)!
You can do that also using black box testing tools.

- gian


On 9 Oct 2004 21:40:47 -0000, hakked () yahoo com <hakked () yahoo com> wrote:



New to IPS arena and am looking for a documented standard or method for testing IPS technologies in parallel. Have a 
suite of test tools (nessus, IDS Reformer, metasploit, etc.), and we are able to test the NIDS tools fairly well off 
a hub, however I'm now concentrating on how to setup the network to be able to test the IPS's in parallel at the same 
time. This will be an ongoing research project.

-j

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------



-- 
   _____
Ing. Gianpiero Porchia
Security Consultant

ATS - Advanced Telecom Systems S.p.A.
Designing, Testing, Managing Network Quality

Via Salgari, 17 - 41100 Modena - ITALY

Tel   +39 059 821332
Fax  +39 059 821492

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

IDS/IPS testing methodology hakked (Oct 11)
- Re: IDS/IPS testing methodology Gianpiero Porchia (Oct 13)
- RE: IDS/IPS testing methodology Leandro Reox (Oct 15)