Re: To test IPS/IDS box.

[Leon Ward <seclists () rm-rf co uk>]

Hi.

Comments _inline

On 5 May 2008, at 20:28, Joshua Gimer wrote:

> There are several tools that you can use to aid in testing.
> I would use some automated scanning tools first such as Nessus; this  
> will show you how much information can be gathered about a remote  
> system.

If an IPS was to *block* all traffic that would allow remote device  
enumeration, it would break the network. Sure, some specific  
enumeration attempts can prevented but these would have to be looked  
at on a case by case basis. As a rule, Nessus, and its closed source  
VA alternatives are not normally useful for testing IPS.

> Metasploit can also be of use in this situation. I would suggest  
> looking into the ips_filter.rb plugin.
> You can also check some conference archives, and SANS reading room  
> for more ideas, and techniques.

Yes, Metasploit is one good tool for your (and everyones) kit-bag, but  
it doesn't provide the reproducibility for a real good test. Even  
though you can run the same exploit/payload/options over and over  
again inside Metasploit, the target device may change state.

I would recommend taking a set of pcaps *you* create that *you want*  
your IPS to block (Maybe using metasploit or other tool of choice).  
You can then replay these over and over again to re-create the same  
test environment. The same rule applies for clean traffic. Once you  
have this clean/dirty baseline you can introduce tuning and even  
different devices for coparisron.

This then leaves the qualitative testing of what device can be managed  
best, used for event analysis best, produces the most meaningful  
reports etc etc

Regards

-Leon



> http://www.sans.org/reading_room/
>
> http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html
>
> I know that there was a presentation that was done in 2006 about,  
> ids and ips evasion. I am sure that there are ton's of others.
>
> Joshua Gimer
>
>
> On May 5, 2008, at 11:10 AM, Jamie Riden wrote:
>
> > Try to break into the network (make sure you have explicit permission
> > first!) and see if it stops you, or alerts. Have a play with nessus,
> > nmap and metasploit for example.
> >
> > I wouldn't actually go as far as attempting to infect the network  
> > with
> > a virus- if it did work then you would have serious problems. You
> > could try it on a completely isolated test network.
> >
> > cheers,
> > Jamie
> >
> > On 05/05/2008, Paari <paarim () calsoftlabs com> wrote:
> > > Hi guys,
> > >
> > >  Can you please give me some reference or links  on how to test  
> > > IPS/IDS
> > > hardware box.
> > >
> > >
> > > Thanks,
> > > Paari
> >
> > --
> > Jamie Riden / jamesr () europe com / jamie () honeynet org uk
> > UK Honeynet Project: http://www.ukhoneynet.org/
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > to learn more.
> > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing itwith real-world attacks  
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto 
>  learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------