Penetration Testing mailing list archives
AW: Re: Triggering IDS
From: "Meidinger Chris" <chris.meidinger () badenIT de>
Date: Thu, 16 Mar 2006 19:21:57 +0100
I agree that everyone's needs are different. However, any IDS should trigger on a x-mas or SYN/FIN packet - even a single one without a full-blown portscan. If you just want to see that your IDS is operational that's a good way to do it. If it doesn't ring the alarm either it's not working or you need a different IDS. Cheers, Chris ----- Ursprüngliche Nachricht ----- Von: "Christine Kronberg" <Christine_Kronberg () genua de> An: "pen-test () securityfocus com" <pen-test () securityfocus com> Gesendet: 16.03.06 19:09 Betreff: Re: Triggering IDS Hiho,
Y'know how there's the EICAR anti virus test file, which lets you see if your anti-virus is working, well, I was wondering if there was something similar to let you see what happens when your IDS triggers? Should I just send a lot of NOPs in a TCP session, or make obvious port scans, or is there some kind of 'industry standard' way to deliberately trigger IDS alarms?
I know of no 'industry standard'. I don't think there is one. If I want to the test my IDS I use a sample of self written rules which must trigger. Additionally I have samples of good traffic where my IDS must not trigger. But this is specific to my needs. To another person my good traffic may be evil. I think this makes it difficult to set an 'industry standard'. A 'industry standard' must fit to all possible situations without flooding the IDS with alarms. Yet it must be so generell that no additional software packages are needed. And you must be 100% sure that there is no chance for a false positive or false negative. For example: Let's use SYN packets to test the IDS. That should be no problem for any network. But this is only a part of an IDS. What's abount IP fragments? Are they properly detected, too? Or any other unusal settings in the packets? An IDS is far more complex than a antivirus software. Cheers, Christine Kronberg. -- GeNUA mbH ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- AW: Re: Triggering IDS Meidinger Chris (Mar 16)
- Re: Re: Triggering IDS Albert Gonzalez (Mar 16)