IDS mailing list archives
Re: Test tools for IDS
From: Mark Teicher <mht3 () earthlink net>
Date: Tue, 30 Sep 2003 16:53:49 -0600 (GMT-06:00)
There are very few off the shelf products that can test IPS well, a majority of testers utilize IDS tools to test IPS.. /m -----Original Message----- From: Greg Shipley <gshipley () neohapsis com> Sent: Sep 30, 2003 3:17 AM To: Raj Ghosh <rajghosh () hotmail com> Cc: focus-ids () securityfocus com Subject: Re: Test tools for IDS On Fri, 26 Sep 2003, Raj Ghosh wrote:
Are there any good test suites available to test the IDS products for intrusion coverage. A few I am looking at are 1) Nessus scanner 2) IDS Informer
[I've been on this list too long. :) ] Here we go... Raj, The short version is, in most scenarios you probably won't get the results you are looking for by running a VA tool "against" a NIDS. You also should consider the differences between running attacks against a NIDS and generating background traffic. IMHO, you want (need?) to do both. However, MUCH of these topics have been discussed, at great length sometimes, in years past on this very list. Specifically, you might want to check out this post: http://archives.neohapsis.com/archives/sf/ids/2002-q1/0081.html ...and the thread that starts here: http://archives.neohapsis.com/archives/sf/ids/2002-q4/0023.html --------------- I've always felt that running real exploit code against real vulnerable systems, combined with injecting a myriad of Layer-7 accurate traffic, proves to be the best testbed (short of a live network, that is). We baked much of that thinking into our first version of OSEC NIDS testing (see http://osec.neohapsis.com), which could serve as a reference point in your own efforts should you find the criteria useful. But in short, if you need to go with a tool (over exploit code) you're probably better off going with something like IDS Informer as opposed to something like Nessus. You can toss in things like fragroute if you want to make it interesting. As for background traffic generation, I've found that nothing matches CAW Network's (now Spirent) gear. Expensive, but worth it if you are going to do serious testing. Hope this helps, -Greg --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 --------------------------------------------------------------------------- --------------------------------------------------------------------------- Captus Networks IPS 4000 Intrusion Prevention and Traffic Shaping Technology to: - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans - Automatically Control P2P, IM and Spam Traffic - Precisely Define and Implement Network Security & Performance Policies FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101 ---------------------------------------------------------------------------
Current thread:
- RE: Test tools for IDS Ganesharatnam C (Oct 02)
- <Possible follow-ups>
- RE: Test tools for IDS Bohling James CONT JBC (Oct 02)
- Re: Test tools for IDS Mark Teicher (Oct 02)