IDS mailing list archives

Re: IDS Testing tool

From: Ron Gula <rgula () tenablesecurity com>
Date: Sun, 13 Jun 2004 19:53:11 -0400

At 10:58 AM 6/12/2004 -0700, ADT wrote:

On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin
<anton () chuvakin org> wrote:
>
> >Is anyone aware of any open source equivalent of Blade's IDS Informer
> >tool to test IDSes? I am aware that TCPReplay can be used to test IDSes
> >but then we will need to make actual attacks at least once to capture
> >the traffic. Any help would be appreciated.
>
> What's wrong with just blasting it with a vuln scanner? Nessus will
> generate a lot of noise in most NIDSs and can even be tweaked for more
> "noisyness"

Well think about it... a good IDS which limits the number of false
positives should detect the actual exploit.  A vulnerability scanner
is supposed to check for the vulnerability, *not* to run the actual
exploit, b/c then it may crash/root/etc your own box.  Hence, an
exploit should look different then a vulnerability check.  Therefore,
using Nessus or other vulnerability scanners are a crappy way of
testing an IDS.  (Of course if you've got a crappy IDS, then perhaps a
crappy test methodology is ok.)

With that in mind, you can either use Blade's IDS Informer or roll
your own solution using tcpreplay.


I'd say using vuln scanners is far from crappy, but surely not complete.
It depends what you are looking for really. Vulnerability scanners do a
wide variety of things from port scanning, host enumeration, TCP/IP
fingerprinting, service probes (like SNMP, RPC, Netbios, .etc) and so on.
Of course, none of those may constitute an actual intrusion, but 80-90%
of most NIDS tend to focus on those activities.

If you really want to see exploits in action, I would recommend using
CORE, Metasploit, Fluxay, or some other tool that allows you to coax
root or admin from an active exploit. Finding a bunch of remote root
exploits on packetstorm, installing the vulnerable versions of those
daemons on your target system and then launching the exploit in front
of your NIDS is something everyone should do once or twice. You'll be
very surpirsed what your NIDS see and don't see.

I'd also recommend you try to bind a shell to some obscure high port with
netcat and see how your NIDS reacts. Lots of UNIX and W2K attacks invoke
a listener on some other port. If you really want to make it difficult,
put the listener on port 80.

And lastly, using TCPreplay with the traces from Defcon CTF or the
honeynet challenge can also present your NIDS with a source of traffic.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
















---------------------------------------------------------------------------

---------------------------------------------------------------------------

Current thread:

IDS Testing tool Arun Vishwanathan (Jun 07)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)
  - Re: IDS Testing tool ADT (Jun 13)
    - Re: IDS Testing tool Ron Gula (Jun 15)
- <Possible follow-ups>
- Re: IDS Testing tool Tobias Klein (Jun 15)
- Re: IDS Testing tool ADT (Jun 15)
- Re: IDS Testing tool dhm (Jun 16)
- Re: IDS Testing tool typhon --- (Jun 16)
- RE: IDS Testing tool BLADE Software - Chris Ralph (Jun 17)
- RE: IDS Testing tool Tom Arseneault (Jun 21)
  - Re: IDS Testing tool ADT (Jun 16)
  - RE: IDS Testing tool Ron Gula (Jun 21)