Re: Test tools for IDS

[Mark Teicher <mht3 () earthlink net>]

There are very few off the shelf products that can test IPS well, a majority of testers utilize IDS tools to test IPS..

/m

-----Original Message-----
From: Greg Shipley <gshipley () neohapsis com>
Sent: Sep 30, 2003 3:17 AM
To: Raj Ghosh <rajghosh () hotmail com>
Cc: focus-ids () securityfocus com
Subject: Re: Test tools for IDS


On Fri, 26 Sep 2003, Raj Ghosh wrote:

> Are there any good test suites available to test the IDS products for
> intrusion coverage. A few I am looking at are
>
> 1) Nessus scanner
> 2) IDS Informer

[I've been on this list too long.  :) ]  Here we go...

Raj,

The short version is, in most scenarios you probably won't get the
results you are looking for by running a VA tool "against" a NIDS.  You
also should consider the differences between running attacks against a
NIDS and generating background traffic.  IMHO, you want (need?) to do
both.  However, MUCH of these topics have been discussed, at great length
sometimes, in years past on this very list.  Specifically, you might want
to check out this post:

http://archives.neohapsis.com/archives/sf/ids/2002-q1/0081.html

...and the thread that starts here:

http://archives.neohapsis.com/archives/sf/ids/2002-q4/0023.html

---------------

I've always felt that running real exploit code against real vulnerable
systems, combined with injecting a myriad of Layer-7 accurate traffic,
proves to be the best testbed (short of a live network, that is).  We
baked much of that thinking into our first version of OSEC NIDS testing
(see http://osec.neohapsis.com), which could serve as a reference point in
your own efforts should you find the criteria useful.

But in short, if you need to go with a tool (over exploit code) you're
probably better off going with something like IDS Informer as opposed to
something like Nessus.  You can toss in things like fragroute if you want
to make it interesting.

As for background traffic generation, I've found that nothing matches CAW
Network's (now Spirent) gear.  Expensive, but worth it if you are going to
do serious testing.

Hope this helps,

-Greg


---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------





---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to: 
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo 
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------