IDS mailing list archives

Re: IDS Testing tool

From: ADT <synfinatic () gmail com>
Date: Sat, 12 Jun 2004 10:58:01 -0700

On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
<anton () chuvakin org> wrote:

Is anyone aware of any open source equivalent of Blade's IDS Informer
tool to test IDSes? I am aware that TCPReplay can be used to test IDSes
but then we will need to make actual attacks at least once to capture
the traffic. Any help would be appreciated.


What's wrong with just blasting it with a vuln scanner? Nessus will
generate a lot of noise in most NIDSs and can even be tweaked for more
"noisyness"


Well think about it... a good IDS which limits the number of false
positives should detect the actual exploit.  A vulnerability scanner
is supposed to check for the vulnerability, *not* to run the actual
exploit, b/c then it may crash/root/etc your own box.  Hence, an
exploit should look different then a vulnerability check.  Therefore,
using Nessus or other vulnerability scanners are a crappy way of
testing an IDS.  (Of course if you've got a crappy IDS, then perhaps a
crappy test methodology is ok.)

With that in mind, you can either use Blade's IDS Informer or roll
your own solution using tcpreplay.

-Aaron

---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

IDS Testing tool Arun Vishwanathan (Jun 07)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)
  - Re: IDS Testing tool ADT (Jun 13)
    - Re: IDS Testing tool Ron Gula (Jun 15)
- <Possible follow-ups>
- Re: IDS Testing tool Tobias Klein (Jun 15)
- Re: IDS Testing tool ADT (Jun 15)
- Re: IDS Testing tool dhm (Jun 16)
- Re: IDS Testing tool typhon --- (Jun 16)
- RE: IDS Testing tool BLADE Software - Chris Ralph (Jun 17)
- RE: IDS Testing tool Tom Arseneault (Jun 21)
  - Re: IDS Testing tool ADT (Jun 16)
  - RE: IDS Testing tool Ron Gula (Jun 21)