IDS mailing list archives

Re: Testing IDS with tcpreplay

From: Aaron Turner <synfinatic () gmail com>
Date: Tue, 14 Feb 2006 15:56:41 -0800

On 2/14/06, ehanselman () netscape net <ehanselman () netscape net> wrote:

Rather than replaying, you'll get a much better view of how well the
IDS works if you use real attacks with real obfuscation techniques.
Metasploit is a great tool for this (www.metasploit.org).

Setting up Metasploit doesn't have to be hard.  There are a bunch of
tutorials on using a Whax (bootable Linux CD) ISO image to run from.
Simply pop in the CD and boot.

The one hitch is that you'll need to have real victims to attack.
Setting up a few target systems as VMWare images makes testing simple.
You can use the snapshot capability to return the victim to a
pre-attack state.


Generally speaking,  tcpreplay is better when one or more of the
following is true:

1) Trying to do comparative analysis and you want to make sure each
device sees exactly the same thing

2) Need to automate or do a lot of regression testing and want a
stable and relatively simple lab environment

3) Already have a library of pcap's (either from customers, the wild
or capturing traffic of real tools like Metasploit)

4) Don't want to worry about re-installing or fixing target systems
after they've been 0wn3d.  VMware of course helps, but there is still
a lot more administrative overhead.

5) You don't want to have to install and then maintain 10's or 100's
of applications and their operating systems to break into.

In general, tcpreplay isn't all that useful IMHO when you're first
starting off and "want to do some IDS/IPS testing" or only intend to
run a few tests or tests only once or twice unless you already happen
to have a nice pcap library.

Obviously the biggest limitation of tcpreplay is it doesn't come with
a library of pcaps.  Maybe one of these days I can figure out the
logistics to make that happen and encourage people to actually submit
pcaps (which people tend to worry might have some kind of confidential
IP in them) rather then just leech off everyone else.  If anyone has
any bright ideas I'd love to hear them.

--
Aaron Turner
http://synfin.net/

The problem with pcaps is that you're working with exploits that have
already been seen and are static.  If your goal is to determine IDS
effectiveness, using real attacks is better.

- Eric


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

Testing IDS with tcpreplay Elias-Bachrach, Ari (HQ-WRH10) (Feb 13)
- Re: Testing IDS with tcpreplay ehanselman (Feb 14)
  - Re: Testing IDS with tcpreplay Aaron Turner (Feb 15)
    - Re: Testing IDS with tcpreplay Richard Bejtlich (Feb 19)
    - Re: Testing IDS with tcpreplay Ivan Arce (Feb 21)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 22)
    - Re: Testing IDS with tcpreplay Greg Shipley (Feb 22)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 23)
    - Re: Testing IDS with tcpreplay Bob Walder (Feb 24)
    - useful real-life example of IDS/IPS Shai Rubin (Feb 23)
    - Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
    - Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
    - IPS test machine Terry Vernon (Feb 24)

(Thread continues...)