Re: Testing IDS with tcpreplay

["Ratna Kumar" <ratnakumarch () visualsoft-tech com>]

Hi Elias,

Which IDS product you are testing???
Instead of looking for  pcap files.You can use packet generation tool to 
reproduce the malicious traffic
(like hping,nemisis,engage packet builder ..etc).Even if you get sources I 
am pretty sure they will get
detected by your IDS.

If you are really want test IDS look for IDS evasion tools. That will really 
test your IDS product.

Thank you,

Regards,
Ratna Kumar

----- Original Message ----- 
From: "Elias-Bachrach, Ari (HQ-WRH10)" <aeliasba () nasa gov>
To: "Focus-Ids Mailing List" <focus-ids () securityfocus com>
Sent: Tuesday, February 14, 2006 3:37 AM
Subject: Testing IDS with tcpreplay


> I'm trying to do some IDS testing, and after digging through the list 
> archives, the method that appeals the most to me (based in it being both 
> free and very useful for my current situation), is using tcpreplay with 
> some pcap files to replay various network attacks and see if the IDS picks 
> them up. My problem is this - I can't seem to locate a good source of pcap 
> files online that I can replay. I've tried the usual suspects (defcon, 
> sourcefire, etc.), but I can't seem to locate any. If anyone knows of any 
> trace files of network attacks (especially successful attacks) that can be 
> replayed to test an IDS, I'd certainly appreciate it.
>
> thanks
>
>
> Ari Elias-Bachrach
> NASA OIG
> aeliasba () nasa gov
> (202) 358-4578 


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------