IDS mailing list archives
Re: Testing IDS/IPS Signatures
From: <ravivsn () www rocsys com>
Date: Sat, 29 May 2004 12:02:23 +0530 (IST)
True, Nessus can help in testing signatures but IMHO, it has limitations. All the nasl scripts in Nessus do not really attempt to run exploits, most of them are ACT_GATHER_INFO means they look only if particular port is opened or checks for an version in the banner received. Also to test all the signatures you need systems which has those vulnerabilties. If not, Nessus is going to fail to show up the results. I have bit experience in testing IDS/IPS signatures. I used Nikto, libwhisker and mutate2. Mutate2 is a good tool which really tests anti NIDS tactics. As far as snot/stick are concerned, they are not intended to test signatures. These tools triggers lot of false positives by generating packets matching the patterns of snort signatures. In a way these tools do help to tune singatures into good shape such that they wont add fire to false positives. Snot/stick will effect IDS like snort but they fail to influence IPS because they lack threee way hand shake and IPS which might have stateful inspection will easily block snot generated packets. I did some work over this and developed e-snot, which when run on snort gave lots of false positives, I can say for almost all signatures there is a false positive. Best Regards, -Ravi ROCSYS Technologies Ltd., http://rocsys.com mail me to : ravivsn () rocsys com
Anyone testing an IPS should attempt to use the denial of service features in Nessus and NeWT to see what is in fact being prevented. Nessus and NeWT contain a wide variety of DOS checks which perform fairly invasive tests. Nessus and NeWT also have a variety of anti-NIDS evasion features built in. For example, you can perform a variety of web vulnerability scans, and have them use URL encoding, TCP desynchronized packets and fragmentation. Although using a vulnerability scanner to test a NIDS is an imperfect test, comparing what a NIDS picks up when evasion is and isn't used during a scan is extremely enlightening. Most people know that Nessus can be obtained from www.nessus.org but they may not know that NeWT is also available as a complimentary download from www.tenablesecurity.com. NeWT is available for Windows XP/2000 and can scan any machine on the local "Class C" network. It performs the same security checks as Nessus, but has it's own interface, reporting and usability features. NeWT Pro is the commercial variant which has no local "Class C" scan limitation. If you have an IDS or IPS in a lab or on a small DMZ, you can use NeWT to launch your tests from any available Windows laptop or server. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 06:30 PM 5/27/2004 -0800, Securecatalyst wrote:Hi All, I want to learn if anyone knows any particular tool or product to test and validate IDS/IPS rules and signatures? I know Snot / Stick / Mucus-1 can do a good job however they can not test the signatures when the IDS/IPS does a stateful-inspection. They simpy import the SNORT signatures into packet and inject into the NW to test the rules. However, they do not establish TCP 3-way handshake and stateful engines (specifically for TCP, not UDP/ICMP) simply ignore them. I think Blade Software have some good marketing documents but I also heard that their signature set is not complete to test all. Anybody any experience with this? Further, is there any other way to validate the IDS/IPS signature other than running the attack itself against a vulnerable machine? I think vulnerability assesment tools does not help, due to similar reasons with Snot/Stick. I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure verifies their signatures? Or, do they really verify? If they did, they wouldn't be this many false-positives, right? I know some vendors simply take SNORT signatures and put it into their SNORT modified engine but I am getting lots of complaints around SNORT's noise and false positives. Your input will be highly appreciated. Cheers, --------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Hi, I want to study IPS, (continued)
- RE: Hi, I want to study IPS Omar Herrera (May 16)
- Re: Hi, I want to study IPS Raistlin (May 22)
- Re: Hi, I want to study IPS Greg Martin (May 25)
- Re: Hi, I want to study IPS Stefano Zanero (May 25)
- RE: Hi, I want to study IPS Ingevaldson, Dan (ISS Atlanta) (May 14)
- RE: Hi, I want to study IPS Runion Mark A FGA DOIM WEBMASTER(ctr) (May 25)
- Re: Hi, I want to study IPS Ali Rajput (May 26)
- Testing IDS/IPS Signatures Securecatalyst (May 28)
- Re: Testing IDS/IPS Signatures Andrea Barisani (May 28)
- Re: Testing IDS/IPS Signatures Ron Gula (May 28)
- Re: Testing IDS/IPS Signatures ravivsn (May 31)
- Re: Hi, I want to study IPS Ali Rajput (May 26)