Penetration Testing mailing list archives
RE: Intrusion Prevention requirements document
From: Sanjay Rawat <sanjayr () intoto com>
Date: Tue, 08 Nov 2005 10:11:59 +0530
Hi:to tell the truth, I was thinking to post a query regarding IDS informer. I worked with IDS informer and observed some points. 1. I m still not clear on "how IDS informer decides that attack was not detected?" 2. On false positives, we observe that so called U traffic, corresponding to an attack, mainly differs in the response part. in this case, if an IDS/IPS detects the attack, it flags it as false positive. but it should be noted that attack is launched against a target. Now, i m confused on one thing- for an IDS/IPS, what should be the modus of operandi? should it detect an attack on the very moment it is launched, or it should wait for the response from the target to see if it is really successful? In the second case, though FP may be reduced, but for an IPS, it can be dangerous thing. 3. sometime, packet level auditing and connection level auditing differs, as far as the final results are concerned.
please impart your expert views regards Sanjay At 02:23 AM 11/5/2005, Tony Haywood wrote:
One of the ways that you could test safely is by using something like Traffic IQ Pro or a similar product. It is a stateful traffic replay tool and can be used to test any inline or packet monitoring device. The product uses two network cards and so the library of over 700 normal and threat traffic files can be replayed statefully without the need to connect to a live target system. This allows for live production systems to be testing for the correct configuration really quickly and easily. I have been involved in working in this area for a number of years now and my previous company was Blade Software where I developed IDS Informer and Firewall Informer to provide similar testing capabilities. Information on Traffic IQ Pro is available below should you want to take a look. http://www.karalon.com/Karalon/TrafficIQ/TrafficIQ.htm Working with testing labs and a number of security and networking vendors has enabled Traffic IQ Pro to be a really useful tool for anyone who wants to check the configuration of their firewalls, IPS, IDS, routers, switches etc and see how those devices perform under different scenarios. Tony Tony Haywood www.karalon.com -----Original Message----- From: vendortrebuchet () comcast net [mailto:vendortrebuchet () comcast net] Sent: 29 October 2005 20:40 To: focus-ids () securityfocus com Subject: Re: Intrusion Prevention requirements document Another question for everyone, When you brought in each vendor for evaluation, did you configure a test network for them or did you use your production network? My 1st concern is keeping my job :o) If I test in production, I could impact production traffic. If I don't test in production, how can I best ensure that I won't have problems with custom applictions, older IP stacks which could be an issue if RFC compliance checks are done, etc. The vendor answer is always, "don't turn on blocking and just monitor." Is that a reality? I'd like some testimonials to this and some real life instances of what has been done from unbiased sources. Thanks, VT > All, > > I work on a team that manages signature and behavioral based intrusion > detection systems today. We have been tasked with reviewing IPS (or > whatever vendor name acronym you prefer) in '06. Our normal process > is to put together a base requirements document to weed out vendors in > the first round through a paper excercise and then bring in the best > we can identify. My question is, has anyone developed a matrix that > identifies key qualifiers in an IPS solution (e.g. in-line, fails > open/closed, reporting features, etc.). If so, could you provide links or the documents? > > If not, what categories are most significant to consider in your > expert opinions? What reasons did you choose the solution you have? > What would you consider if you had to choose over again, etc? > > Thanks in advance for your responses. > > VT >
------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Intrusion Prevention requirements document Tony Haywood (Nov 05)
- RE: Intrusion Prevention requirements document Sanjay Rawat (Nov 07)
- <Possible follow-ups>
- RE: Intrusion Prevention requirements document vendortrebuchet (Nov 05)
- RE: Intrusion Prevention requirements document Arun Vishwanathan (Nov 06)