IDS mailing list archives
Re: To test IPS/IDS box.
From: Leon Ward <seclists () rm-rf co uk>
Date: Tue, 6 May 2008 09:17:42 +0100
Hi. Comments _inline On 5 May 2008, at 20:28, Joshua Gimer wrote:
There are several tools that you can use to aid in testing.I would use some automated scanning tools first such as Nessus; this will show you how much information can be gathered about a remote system.
If an IPS was to *block* all traffic that would allow remote device enumeration, it would break the network. Sure, some specific enumeration attempts can prevented but these would have to be looked at on a case by case basis. As a rule, Nessus, and its closed source VA alternatives are not normally useful for testing IPS.
Metasploit can also be of use in this situation. I would suggest looking into the ips_filter.rb plugin. You can also check some conference archives, and SANS reading room for more ideas, and techniques.
Yes, Metasploit is one good tool for your (and everyones) kit-bag, but it doesn't provide the reproducibility for a real good test. Even though you can run the same exploit/payload/options over and over again inside Metasploit, the target device may change state.
I would recommend taking a set of pcaps *you* create that *you want* your IPS to block (Maybe using metasploit or other tool of choice). You can then replay these over and over again to re-create the same test environment. The same rule applies for clean traffic. Once you have this clean/dirty baseline you can introduce tuning and even different devices for coparisron.
This then leaves the qualitative testing of what device can be managed best, used for event analysis best, produces the most meaningful reports etc etc
Regards -Leon
http://www.sans.org/reading_room/ http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.htmlI know that there was a presentation that was done in 2006 about, ids and ips evasion. I am sure that there are ton's of others.Joshua Gimer On May 5, 2008, at 11:10 AM, Jamie Riden wrote:Try to break into the network (make sure you have explicit permission first!) and see if it stops you, or alerts. Have a play with nessus, nmap and metasploit for example.I wouldn't actually go as far as attempting to infect the network witha virus- if it did work then you would have serious problems. You could try it on a completely isolated test network. cheers, Jamie On 05/05/2008, Paari <paarim () calsoftlabs com> wrote:Hi guys,Can you please give me some reference or links on how to test IPS/IDShardware box. Thanks, Paari-- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- To test IPS/IDS box. Paari (May 05)
- Re: To test IPS/IDS box. Jamie Riden (May 05)
- Re: To test IPS/IDS box. Joshua Gimer (May 05)
- Re: To test IPS/IDS box. Leon Ward (May 06)
- Re: To test IPS/IDS box. Joshua Gimer (May 05)
- RE: To test IPS/IDS box. Srinivasa Addepalli (May 07)
- <Possible follow-ups>
- Re: To test IPS/IDS box. abhicc285 (May 06)
- Re: To test IPS/IDS box. Paari (May 06)
- Re: To test IPS/IDS box. "Zow" Terry Brugger (May 06)
- Re: To test IPS/IDS box. Aaron Turner (May 06)
- Re: To test IPS/IDS box. Jamie Riden (May 05)