AW: Re: Triggering IDS

["Meidinger Chris" <chris.meidinger () badenIT de>]

I agree that everyone's needs are different. However, any IDS should trigger on a x-mas or SYN/FIN packet - even a 
single one without a full-blown portscan.

If you just want to see that your IDS is operational that's a good way to do it. If it doesn't ring the alarm either 
it's not working or you need a different IDS.

Cheers,

Chris

----- Ursprüngliche Nachricht -----
Von: "Christine Kronberg" <Christine_Kronberg () genua de>
An: "pen-test () securityfocus com" <pen-test () securityfocus com>
Gesendet: 16.03.06 19:09
Betreff: Re: Triggering IDS


   Hiho,


> Y'know how there's the EICAR anti virus test file, which lets you see
> if your anti-virus is working, well, I was wondering if there was
> something similar to let you see what happens when your IDS triggers?
>
> Should I just send a lot of NOPs in a TCP session, or make obvious
> port scans, or is there some kind of 'industry standard' way to
> deliberately trigger IDS alarms?

   I know of no 'industry standard'. I don't think there is one. If I
   want to the test my IDS I use a sample of self written rules which
   must trigger. Additionally I have samples of good traffic where my
   IDS must not trigger. But this is specific to my needs. To another
   person my good traffic may be evil. I think this makes it difficult
   to set an 'industry standard'.

   A 'industry standard' must fit to all possible situations without
   flooding the IDS with alarms. Yet it must be so generell that no
   additional software packages are needed. And you must be 100% sure
   that there is no chance for a false positive or false negative.
   For example: Let's use SYN packets to test the IDS. That should be
   no problem for any network. But this is only a part of an IDS. What's
   abount IP fragments? Are they properly detected, too? Or any other
   unusal settings in the packets? An IDS is far more complex than a
   antivirus software.

   Cheers,


                                                 Christine Kronberg.

-- 
GeNUA mbH


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
As attacks through web applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most comprehensive 
solutions to meet your application security penetration testing and 
vulnerability management needs. You have an option to go with a managed 
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help you: 
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------