IDS mailing list archives
Re: Worm generating network attack traffic?
From: Skyler.Bingham () londen-insurance com
Date: Fri, 5 Dec 2008 17:30:06 -0700
You bring up a good point, but not all Nessus checks are banner-grab-version-number-comparisons. Many exploit the vulnerabilities with benign payloads and check for a known-vulnerable response. This should be sufficient to generate an IDS alert. If my IDS sees an exploit going to a potentially vulnerable service, I would like to know about it. I don't expect my IDS to be able to distinguish between a malicious and a benign payload. I made the assumption (and after rereading the original post, probably incorrectly) that the OP was inquiring for personal research, in which case, Nessus would be a free/easy way to check to verify his IDS was working. But you're right, I wouldn't recommend using Nessus for this purpose if you had to pay for it or if you were doing serious analysis. I agree your IDS should not be alerting on banner grabs in most cases, but that's not all Nessus does. I also agree you are better off using penetration testing products like Core Impact and Canvas for this purpose if you if you can afford them, but they are probably a little too pricey to be purchased for the sole purpose of generating attack traffic to test your IDS (especially for personal research). If you can't afford them (and even if you can), Metasploit is a great free alternative. Skyler Bingham GIAC {GSEC, GCIH, GCIA, GCFA}, CEH (602) 957-1650 x1139 listbounce () securityfocus com wrote on 12/04/2008 04:11:15 PM:
I think it is important to note that: (Traffic generated by vulnerability scanners) != (attack traffic) While vulnerability assessment (VA) scanners can/will generate alerts I would advise against using them if you want to do any kind of real analysis. In fact, you probably don't want an IDS that is going to mistake something like a service probe / banner grab (which is what many VA checks actually are) with an actual attack. Any IDS that does is going to be *highly* false positive prone... FWIW, I have found tools such as Core Impact, Metasploit, and Canvas to be far better options for testing IDS/IPS signature engines.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Worm generating network attack traffic? isb_boy3 (Dec 03)
- Re: Worm generating network attack traffic? Tim Grossner (Dec 03)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 04)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 08)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- RE: Worm generating network attack traffic? Libershal, David M. (Dec 04)
- <Possible follow-ups>
- Re: Worm generating network attack traffic? chris (Dec 04)
- Re: Worm generating network attack traffic? Jose Nazario (Dec 05)