IDS mailing list archives
Re: Testing IDS/IPS Signatures
From: Ron Gula <rgula () tenablesecurity com>
Date: Fri, 28 May 2004 13:21:04 -0400
Anyone testing an IPS should attempt to use the denial of service features in Nessus and NeWT to see what is in fact being prevented. Nessus and NeWT contain a wide variety of DOS checks which perform fairly invasive tests. Nessus and NeWT also have a variety of anti-NIDS evasion features built in. For example, you can perform a variety of web vulnerability scans, and have them use URL encoding, TCP desynchronized packets and fragmentation. Although using a vulnerability scanner to test a NIDS is an imperfect test, comparing what a NIDS picks up when evasion is and isn't used during a scan is extremely enlightening. Most people know that Nessus can be obtained from www.nessus.org but they may not know that NeWT is also available as a complimentary download from www.tenablesecurity.com. NeWT is available for Windows XP/2000 and can scan any machine on the local "Class C" network. It performs the same security checks as Nessus, but has it's own interface, reporting and usability features. NeWT Pro is the commercial variant which has no local "Class C" scan limitation. If you have an IDS or IPS in a lab or on a small DMZ, you can use NeWT to launch your tests from any available Windows laptop or server. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 06:30 PM 5/27/2004 -0800, Securecatalyst wrote:
Hi All, I want to learn if anyone knows any particular tool or product to test and validate IDS/IPS rules and signatures? I know Snot / Stick / Mucus-1 can do a good job however they can not test the signatures when the IDS/IPS does a stateful-inspection. They simpy import the SNORT signatures into packet and inject into the NW to test the rules. However, they do not establish TCP 3-way handshake and stateful engines (specifically for TCP, not UDP/ICMP) simply ignore them. I think Blade Software have some good marketing documents but I also heard that their signature set is not complete to test all. Anybody any experience with this? Further, is there any other way to validate the IDS/IPS signature other than running the attack itself against a vulnerable machine? I think vulnerability assesment tools does not help, due to similar reasons with Snot/Stick. I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure verifies their signatures? Or, do they really verify? If they did, they wouldn't be this many false-positives, right? I know some vendors simply take SNORT signatures and put it into their SNORT modified engine but I am getting lots of complaints around SNORT's noise and false positives. Your input will be highly appreciated. Cheers, --------------------------------------------------------------------------- ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Hi, I want to study IPS, (continued)
- Re: Hi, I want to study IPS Greg Martin (May 14)
- RE: Hi, I want to study IPS Omar Herrera (May 16)
- Re: Hi, I want to study IPS Raistlin (May 22)
- Re: Hi, I want to study IPS Greg Martin (May 25)
- Re: Hi, I want to study IPS Stefano Zanero (May 25)
- Re: Hi, I want to study IPS Greg Martin (May 14)
- RE: Hi, I want to study IPS Ingevaldson, Dan (ISS Atlanta) (May 14)
- RE: Hi, I want to study IPS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 25)
- Re: Hi, I want to study IPS Ali Rajput (May 26)
- Testing IDS/IPS Signatures Securecatalyst (May 28)
- Re: Testing IDS/IPS Signatures Andrea Barisani (May 28)
- Re: Testing IDS/IPS Signatures Ron Gula (May 28)
- Re: Testing IDS/IPS Signatures ravivsn (May 31)
- Re: Hi, I want to study IPS Ali Rajput (May 26)