Re: Advice testing IDS products

[Zachary Yamada <zachary.yamada () CHEMEKETA EDU>]

Hi Bobby,

WICAR has a collection of test payloads which may suit your needs. You can
find their payloads at http://www.wicar.org/test-malware.html. In addition,
the European Institute for Computer Anti-Virus Research's (EICAR)
anti-malware test file is commonly used for testing anti-malware and IDS
systems and is included in WICAR's collection.

In addition, there are websites and github repositories which have
collections of *actual* malware. *Please be extremely cautious visiting
these sites as the files which you can download through them contain actual
malicious software which was collected from the wild. *The URLs have been
modified to prevent the automatic conversion into hyperlinks.

http://www(dot)tekdefense(dot)com/downloads/malware-samples/
https://(dot)github(dot)com/ytisf/theZoo

Happy hunting,

Zachary Yamada, CEH, CHFI
Chemeketa Community College
Information Security Team Lead, Information Technology
Adjunct Faculty, Computer Information Systems
503.584.7367
zachary.yamada () chemeketa edu


On Thu, Feb 14, 2019 at 10:53 AM Bridges, Robert A. <
0000008d8011d045-dmarc-request () listserv educause edu> wrote:

> Hi,
>
> We’re in the process of designing a test of some IDS products and are
> looking for any advice from those who have designed and run experiments of
> new tools. We are looking into IDS tools that complement traditional
> (signature/rule-based) IDS that is they should complement host-based AV,
> firewalls, tools like Snort). Some of these tools sit at the network level
> and perform file extraction / packet reconstruction to provide detection of
> malware or of fileless malware. Some rely on host agents.
>
>
>
> Some questions:
>
> ·         We’ll need both benign files and malicious files and fileless
> malware. Are there good, up-to-date libraries anyone recommends?
>
> ·         We’ll need network traffic sending the files—are there
> prescripted attack scenarios we can use or should we work from scratch?
>
> ·         We are trying to test the ability of these tools to get
> never-before-seen malware. Here’s some ideas for obtaining such files
>
> o   Augment malware (manually create variants)
>
> o   Configure the tool, but wait a few months w/o updating it and use
> malware that was discovered in that time period
>
> o   Time travel (😝)
>
> Are there other good solutions?
>
>
>
> Any general advice for testing these tools is recommended!
>
>
>
> Thanks,
>
> Bobby
>
>
>
>
>
> Robert A. Bridges, PhD, Cyber Security Research Mathematician, Oak Ridge
> National Laboratory