IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: IDS Evaluation

From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 28 Mar 2005 12:33:51 -0500
At 12:27 PM 3/25/2005, you wrote:

Hi,

i'm developing a project which consist on evaluating IDSs. I'm thinking
of using nessus as a tool to test the number of malicious packets sent
to the ids, and the number of good ones, in order to take statistics
about the accuracy of the ids. Any idea about this?

Thanks for your help.


Nessus has a lot of anti-ids features which still bypass some systems
today. If you don't have a UNIX box to run Nessus, you could also try
the NeWT scanner which does not have a cost for Class-C usage.

However, when you run vuln scanners against an IDS, you only really
test how an IDS detects vuln scanning. You should also add into you
test suite tools which conduct active exploitation. There is a big
difference between testing a system to see if it's version of bind
is vulnerable, and actually executing an overflow. What the IDS
reports in both cases can be astonishingly clear, or very disappointing.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://www.nessus.org






--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: