IDS mailing list archives
Re: IDS Testing Method
From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 22 Jul 2004 14:44:45 -0400
On 0, M Shirk <shirkdog_linux () hotmail com> allegedly wrote:
If it is snort, you can use sneeze.pl to generate alerts. Also the common way to test the IDS is to use a vulnerability scanner like Nessus and scan a box, then run TCPDUMP and compare the packet count to make sure you are not dropping packets.
Sneeze was written for Snort 1.8 and from the looks of it hasn't been updated since. It will not generate any useful traffic to test current Snort versions. It may however, generate events on other IDS that do not keep track of state.
If you are speaking of signatures, I usually just create or compile the exploits to make sure I am alerting on the traffic.
Not recommended for anyone but the experienced. Using tcpreplay to replay packet data of some known bad stuff would be better. Either way, you'll probably want to do these things in a lab environment.
Shirkdog -----Original Message----- From: tonavtejkohli () hotmail com [mailto:tonavtejkohli () hotmail com] Sent: Tuesday, July 20, 2004 6:48 AM To: focus-ids () securityfocus com Subject: IDS Testing Method Importance: Low Hi Lists, I'm trying to find out ways of testing different IDS systems. Is there any way, recommended'/best practice methodology for testing Network based IDS (NIDS) ?
There are many resources available that can be found easily by using Google. Some links for you: Methodology for Testing Intrusion Detection Systems http://seclab.cs.ucdavis.edu/papers/tse96.pdf NSS http://www.nss.co.uk/ ICSA Labs http://www.icsalabs.com/html/communities/ids/whitepaper/index.shtml Experiences Benchmarking Intrusion Detection Systems (Available from here along with other papers) http://www.snort.org/docs/ There are many, many more sources of information.
It would be very nice of you if anyone can give me some technical hints. Any information - papers, tools, links and own experience are much appreciated. Hoping for a reply soon from your side. Regards, NAVTEJ KOHLI
------------------------------------------------------------- Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team "Dude, dolphins are intelligent and friendly!" -- Wendy "Intelligent and friendly on rye bread, with some mayonaise." -- Cartman -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- IDS Testing Method NAVTEJ KOHLI (Jul 20)
- Re: IDS Testing Method Charles Heselton (Jul 22)
- Re: IDS Testing Method michael.li (Jul 26)
- <Possible follow-ups>
- RE: IDS Testing Method M Shirk (Jul 22)
- Re: IDS Testing Method Nigel Houghton (Jul 25)
- Re: IDS Testing Method Andrea Barisani (Jul 25)
- Re: IDS Testing Method Nigel Houghton (Jul 25)
- RE: IDS Testing Method Majed Mohammed Ayoub Al-Shodari (Jul 25)
- Re: IDS Testing Method Ravi Kumar (Jul 26)