Re: IDS Testing Method

[Nigel Houghton <nigel () sourcefire com>]

On  0, M Shirk <shirkdog_linux () hotmail com> allegedly wrote:
> If it is snort, you can use sneeze.pl to generate alerts. Also the common 
> way to test the IDS is to use a vulnerability scanner like Nessus and scan 
> a box, then run TCPDUMP and compare the packet count to make sure you are 
> not dropping packets.

Sneeze was written for Snort 1.8 and from the looks of it hasn't been
updated since. It will not generate any useful traffic to test current
Snort versions. It may however, generate events on other IDS that do not
keep track of state.

> If you are speaking of signatures, I usually just create or compile the 
> exploits to make sure I am alerting on the traffic.

Not recommended for anyone but the experienced. Using tcpreplay to replay
packet data of some known bad stuff would be better. Either way, you'll
probably want to do these things in a lab environment.

> Shirkdog
>
> -----Original Message-----
> From: tonavtejkohli () hotmail com [mailto:tonavtejkohli () hotmail com]
> Sent: Tuesday, July 20, 2004 6:48 AM
> To: focus-ids () securityfocus com
> Subject: IDS Testing Method
> Importance: Low
>
>
> Hi Lists,
>
> I'm trying to find out ways of testing different IDS systems. Is there any
> way, recommended'/best practice methodology for testing Network based IDS
> (NIDS)
> ?

There are many resources available that can be found easily by using
Google.

Some links for you:

 Methodology for Testing Intrusion Detection Systems
 http://seclab.cs.ucdavis.edu/papers/tse96.pdf

 NSS
 http://www.nss.co.uk/

 ICSA Labs
 http://www.icsalabs.com/html/communities/ids/whitepaper/index.shtml

 Experiences Benchmarking Intrusion Detection Systems
 (Available from here along with other papers)
 http://www.snort.org/docs/

There are many, many more sources of information.

> It would be very nice of you if anyone  can give me some technical hints.
> Any information - papers, tools, links and own experience are much
> appreciated.
>
> Hoping for a reply soon from your side.
>
> Regards,
>
> NAVTEJ KOHLI
 
-------------------------------------------------------------
Nigel Houghton       Research Engineer        Sourcefire Inc.
                 Vulnerability Research Team

"Dude, dolphins are intelligent and friendly!" -- Wendy
"Intelligent and friendly on rye bread, with some mayonaise." -- Cartman

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------