Re: Evaluating IDS

[tcp fin <inet_inaddr () yahoo com>]

Hi, 
I would go about testing my IDS in following way .
Assuming u have the test network and u can play
around, I would take the set of application most used
in my network and if feasible create one server each
for the each application we are using. Create a
network with 3 Routes to the internal network via each
iDS and have the 3 Attack machines .
Internal N/w----IDS/IPS 1----Attack Machine 1
            ----IDS/IPS 2----Attack Machine 2
            ---- IDS/IPS 3---Attack Machine 3 
So steps would be 
1. Create the test setup with the application we are
using in the production or Segment which we are trying
to protect. Assuming Internet is the threat as well as
Internal Employee is a threat.
2. Run Pentest on the Network from the Internet ,
Assuming the network being protected by IDS IPS is
internal and the External side is the ur test
Attacker's machine. Please keep the default signature
set, on all the IDS/IPS signatures.
3. See which all ports are open and  exploitable with
NMAP/Nessus Combo. Alos u can use Amap and paros
www.parosproxy.org/faq.shtml . (Make sure u have
libwhisker and Hydra installed on the same machine as
nessus.)
4. Download the exploit and execute. 

While u do above test ,look for 
1. False positive on the each IDS, correct attack
versus the incorrectly alerted attacks.
2. Look for the not identfied attacks false negatives
3. Look at the logging capacity and detection capacity
on the Peak  load, say box is 1 Gb through put , put
the box under stress and see. 
4. Randomly choose the list of attacks and mix with
the above stess testing. say 10% bad traffic and 90%
normal traffic at line rate of 1 Gbps, u should see
actual box sending 900 Mbps and 100 Mbps being
dropped. Assuming every UDP/TCP session is same
payload and packet size.
5. Check the box with fragroute to evade the signature
detection mechanism. 

Hope this helps.
TCP-FIN



--- pentesticle () yahoo com wrote:

> I am preparing to evaluate three IDS's on a test
> network. My intent is to replay normal traffic on
> the network and have each vendor run their own
> system to show the capabilities, then I would like
> to run exploits across the network on certain
> machines to see how the system detects the exploits
> and lastly disable their rule for a particular virus
> to simulate a 1 day virus propogation and see how
> the systems detect and react to it moving across the
> test network.
>
> Does anyone have any experience conducting similar
> evaluations?
>
> Any recommendation as to what type of exploits to
> run on the systems to get the best results from the
> IDS's?
>
> Lastly anyone know where I can get a virus to use
> and any recommendations in that area? I was
> considering possibly using a honeynet setup for the
> virus to propogate to to simulate many systems at
> once, but am not 100% certain yet.
>
> Any recommendations or guidance is much appreciated.
------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it 
> with real-world attacks from CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
------------------------------------------------------------------------
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------