Re: Testing IDS with tcpreplay

["Aaron Turner" <synfinatic () gmail com>]

Hey Stefano,

On 2/25/06, Stefano Zanero <zanero () elet polimi it> wrote:
> Aaron Turner wrote:

[snip most of this since I've already covered test labs and the effort
to setup and maintain them]

> > Say you have two IPS's you want to test.  You an send an "attack" with
> > Metasploit against the first one and it detects it.  You run it again
> > against the second one and it doesn't.
>
> Consider this.
>
> You send a tcp replayed stream against the first one, and then agains
> the second one. The first one catches an attack, the second one doesn't.
>
> Does this mean the first one is better ? No, it does not mean absolutely
> anything.

In a vacuum, of course not.  But we're talking about a series of test
cases here.

> The core of the problem is in WHAT YOU CALL TESTING, not in what you use
> to throw packets at your IDS probe...

I'm not going to try to tell you or anyone what is the right
methodology to test IDS/IPS's.  Everyone seems to have their own
opinions on the mattter and the correct answer seems to depend on
their goals, resources (both financially and time) and background. 
Hopefully through this thread people have gotten a clearer picture of
how tools like Metasploit and tcpreplay can be used (or shouldn't be)
in their tests.

Regards,
Aaron

--
Aaron Turner
http://synfin.net/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------