IDS mailing list archives
Re: Testing IDS with tcpreplay
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Mon, 20 Feb 2006 22:52:29 -0300
Aaron Turner wrote:
On 2/14/06, ehanselman () netscape net <ehanselman () netscape net> wrote:Rather than replaying, you'll get a much better view of how well the IDS works if you use real attacks with real obfuscation techniques. Metasploit is a great tool for this (www.metasploit.org). Setting up Metasploit doesn't have to be hard. There are a bunch of tutorials on using a Whax (bootable Linux CD) ISO image to run from. Simply pop in the CD and boot. The one hitch is that you'll need to have real victims to attack. Setting up a few target systems as VMWare images makes testing simple. You can use the snapshot capability to return the victim to a pre-attack state.Generally speaking, tcpreplay is better when one or more of the following is true: 1) Trying to do comparative analysis and you want to make sure each device sees exactly the same thing
Hmm, why is that harder to accomplish with Metasploit than with tcpreplay?
2) Need to automate or do a lot of regression testing and want a stable and relatively simple lab environment
same as above....
3) Already have a library of pcap's (either from customers, the wild or capturing traffic of real tools like Metasploit)
Yeah, but that is an entirely different kind of testing. Replaying the packets captured from the execution of an exploit is not the same as executing the same exploit again.
4) Don't want to worry about re-installing or fixing target systems after they've been 0wn3d. VMware of course helps, but there is still a lot more administrative overhead.
Hmm, maybe or maybe not... Actually you can pretty much automate the entire process (or a big part of it): 1. set up of the proper VMware images (specially if you're using GSX or a similar virtualization server that lets you manage images programatically and from remote) 2. run a set of exploits in the appropriate order 3. generate reports or other output with the results 4. correlate output with IDS/IPS alerts/logs/etc.
5) You don't want to have to install and then maintain 10's or 100's of applications and their operating systems to break into.
Thats a valid point...however you could pre-install these on your VMware images...
In general, tcpreplay isn't all that useful IMHO when you're first starting off and "want to do some IDS/IPS testing" or only intend to run a few tests or tests only once or twice unless you already happen to have a nice pcap library.
Ahh that's interesting, I see it in exactly the opposite way: tcpreplay is ok when you want to scratch the surface of your IDS capabilities or perhaps more appropriate for stress or throughput testing or very basic regression testing. However, if you truly want to check if the IDS recognized real attacks you need to test with real exploit runs not with a replay of their captured traffic.
Obviously the biggest limitation of tcpreplay is it doesn't come with a library of pcaps. Maybe one of these days I can figure out the
In my view, the biggest limitation is that replaying captured packets an overly simplified manner of modeling real world attacks. Today's exploit code is a lot "smarter" than simple PoC that send the same fixed data on each run. modern exploits make runtime decisions based on the state of the target system/application and several other things. To successfully simulate the execution of real exploits you need to maintain state about both endpoints (target and attacker's systems) and properly simulate the meaningful state changes in them that would change exploit-code's execution flow and elicit different traffic patterns that those from previous runs. BTW... there is a commercial product mentioned at the footer of all emails in the IDS list, notably no-one commented on it :) -ivan
-- Aaron Turner http://synfin.net/The problem with pcaps is that you're working with exploits that have already been seen and are static. If your goal is to determine IDS effectiveness, using real attacks is better. - Eric------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
-- --- "Buy the ticket, take the ride" -HST Ivan Arce CTO CORE SECURITY TECHNOLOGIES http://www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Testing IDS with tcpreplay Elias-Bachrach, Ari (HQ-WRH10) (Feb 13)
- Re: Testing IDS with tcpreplay ehanselman (Feb 14)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 15)
- Re: Testing IDS with tcpreplay Richard Bejtlich (Feb 19)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 21)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 22)
- Re: Testing IDS with tcpreplay Greg Shipley (Feb 22)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 23)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 24)
- useful real-life example of IDS/IPS Shai Rubin (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 15)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
- IPS test machine Terry Vernon (Feb 24)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 24)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 26)
- Re: Testing IDS with tcpreplay ehanselman (Feb 14)