IDS mailing list archives
Re: Worm generating network attack traffic?
From: Skyler.Bingham () londen-insurance com
Date: Fri, 5 Dec 2008 17:30:06 -0700
You bring up a good point, but not all Nessus checks are
banner-grab-version-number-comparisons. Many exploit the vulnerabilities
with benign payloads and check for a known-vulnerable response. This
should be sufficient to generate an IDS alert. If my IDS sees an exploit
going to a potentially vulnerable service, I would like to know about it.
I don't expect my IDS to be able to distinguish between a malicious and a
benign payload.
I made the assumption (and after rereading the original post, probably
incorrectly) that the OP was inquiring for personal research, in which
case, Nessus would be a free/easy way to check to verify his IDS was
working. But you're right, I wouldn't recommend using Nessus for this
purpose if you had to pay for it or if you were doing serious analysis. I
agree your IDS should not be alerting on banner grabs in most cases, but
that's not all Nessus does.
I also agree you are better off using penetration testing products like
Core Impact and Canvas for this purpose if you if you can afford them, but
they are probably a little too pricey to be purchased for the sole purpose
of generating attack traffic to test your IDS (especially for personal
research). If you can't afford them (and even if you can), Metasploit is a
great free alternative.
Skyler Bingham
GIAC {GSEC, GCIH, GCIA, GCFA}, CEH
(602) 957-1650 x1139
listbounce () securityfocus com wrote on 12/04/2008 04:11:15 PM:
I think it is important to note that: (Traffic generated by vulnerability scanners) != (attack traffic) While vulnerability assessment (VA) scanners can/will generate alerts I would advise against using them if you want to do any kind of real analysis. In fact, you probably don't want an IDS that is going to mistake something like a service probe / banner grab (which is what many VA checks actually are) with an actual attack. Any IDS that does is going to be *highly* false positive prone... FWIW, I have found tools such as Core Impact, Metasploit, and Canvas to be far better options for testing IDS/IPS signature engines.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Worm generating network attack traffic? isb_boy3 (Dec 03)
- Re: Worm generating network attack traffic? Tim Grossner (Dec 03)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 04)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 08)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- RE: Worm generating network attack traffic? Libershal, David M. (Dec 04)
- <Possible follow-ups>
- Re: Worm generating network attack traffic? chris (Dec 04)
- Re: Worm generating network attack traffic? Jose Nazario (Dec 05)