Penetration Testing mailing list archives
Re: Test scripts for NIDS
From: ADT <synfinatic () gmail com>
Date: Sat, 4 Sep 2004 18:16:05 -0700
If you're using tcpreplay for performance testing, there are a few things you should be aware of: 1) Read the FAQ and learn how to tune your OS network stack for best replay performance. There is also a listing of common error/warning messages and detailed meanings. 2) tcpreplay will detect a failure to send a packet (ie: your hardware can't keep up) and will continue trying to resend the packet until the hardware catches up. 3) tcpreplay makes a "best effort" in terms of replaying traffic at the speed you request. There are a number of things which can make things difficult: a) your pcap only has a few packets b) your OS doesn't have a very granular nanosleep() implimentation c) and probably others I'm forgetting Generally speaking I do not recommend using tcpdump to validate unless you are testing an inline device and you want to know about packetloss. -Aaron -- synfin.net On Thu, 2 Sep 2004 21:59:05 -0700, Peter Van Epp <vanepp () sfu ca> wrote:
On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote:I've gotten alot of suggestions to test the signatures, i've got some to test the load but they were $$$, anything out there for free ? With a software and not an appliance how does one test the load to know when the IDS can no longer verify packets and they are being dropped ? Is this included in the software ? Thanks again everyone :)As several people have mentioned tcpreplay from sourceforge.net is open source and thus free (at least of capital cost). You test to destruction by starting slowly and assume or check that the IDS catches everything. You then replay the same tcpdump file at ever increasing speeds until the IDS output changes (usually by failing to detect one or more signatures). At that point something in the loop is losing packets. Now you need to verify that it is the IDS and not somewhere else in your test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with the IDS network interface sees all the packets you think you sent, then probably the failure is in the IDS). At any given speed you probably want to make multiple runs and make sure the IDS reports identically on all of them since the packet loss will be random and may not occur during a signature (isn't performance testing fun? :-) )
------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- RE: Test scripts for NIDS Cure, Samuel J (Aug 31)
- <Possible follow-ups>
- RE: Test scripts for NIDS Clement Dupuis (Aug 31)
- Re: Test scripts for NIDS cruxpot (Aug 31)
- RE: Test scripts for NIDS Matt Foster (Aug 31)
- Re: Test scripts for NIDS Jose Maria Lopez (Aug 31)
- Re: Test scripts for NIDS Peter Van Epp (Sep 01)
- RE: Test scripts for NIDS Arndt . WA (Sep 01)
- RE: Test scripts for NIDS Jose Maria Lopez (Sep 01)
- RE: Test scripts for NIDS John Madden (Sep 02)
- Re: Test scripts for NIDS Peter Van Epp (Sep 03)
- Re: Test scripts for NIDS ADT (Sep 07)
- Re: Test scripts for NIDS Jose Maria Lopez (Sep 01)
- RE: Test scripts for NIDS por. Ing. Martin Hlavacek (Sep 01)
- RE: Test scripts for NIDS Bénoni MARTIN (Sep 02)
- Re: Test scripts for NIDS Iván Arce (Sep 02)