IDS mailing list archives
Re: IDS Evaluation
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 28 Mar 2005 12:33:51 -0500
At 12:27 PM 3/25/2005, you wrote:
Hi, i'm developing a project which consist on evaluating IDSs. I'm thinking of using nessus as a tool to test the number of malicious packets sent to the ids, and the number of good ones, in order to take statistics about the accuracy of the ids. Any idea about this? Thanks for your help.
Nessus has a lot of anti-ids features which still bypass some systems today. If you don't have a UNIX box to run Nessus, you could also try the NeWT scanner which does not have a cost for Class-C usage. However, when you run vuln scanners against an IDS, you only really test how an IDS detects vuln scanning. You should also add into you test suite tools which conduct active exploitation. There is a big difference between testing a system to see if it's version of bind is vulnerable, and actually executing an overflow. What the IDS reports in both cases can be astonishingly clear, or very disappointing. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com http://www.nessus.org -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------
Current thread:
- IDS Evaluation 1daguerr (Mar 28)
- RE: IDS Evaluation Matt Foster (Mar 31)
- <Possible follow-ups>
- Re: IDS Evaluation Ron Gula (Mar 28)
- Re: IDS Evaluation sam f. stover (Mar 28)
- Re: IDS Evaluation Raffael Marty (Mar 29)
- Re: IDS Evaluation David W. Goodrum (Mar 29)
- Re: IDS Evaluation sam f. stover (Mar 28)
- RE: IDS Evaluation Maynor, David (ISS Atlanta) (Mar 28)