Testing IDS/IPS Signatures

["Securecatalyst" <securecatalyst () hotmail com>]

Hi All,

I want to learn if anyone knows any particular tool or product to test and
validate IDS/IPS rules and signatures?

I know Snot / Stick / Mucus-1 can do a good job however they can not test
the signatures when the IDS/IPS does a stateful-inspection. They simpy
import the SNORT signatures into packet and inject into the NW to test the
rules. However, they do not establish TCP 3-way handshake and stateful
engines (specifically for TCP, not UDP/ICMP) simply ignore them.

I think Blade Software have some good marketing documents but I also heard
that their signature set is not complete to test all. Anybody any experience
with this?

Further, is there any other way to validate the IDS/IPS signature other than
running the attack itself against a vulnerable machine? I think
vulnerability assesment tools does not help, due to similar reasons with
Snot/Stick.

I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure
verifies their signatures? Or, do they really verify? If they did, they
wouldn't be this many false-positives, right? I know some vendors simply
take SNORT signatures and put it into their SNORT modified engine but I am
getting lots of complaints around SNORT's  noise and false positives.

Your input will be highly appreciated.

Cheers,

---------------------------------------------------------------------------

---------------------------------------------------------------------------