Re: IDS Testing

["Don Parker" <dparker () rigelksecurity com>]

You should be using all the openly available exploit code out there in addition to some 
funky changes to them. You still need a baseline to work with, and the publicly available 
stuff provides just that. Not only will this help you verify your IDS, it will also help 
you to tweak the signatures as required for your environment. There are quite a few 
factors beyond the normal stuff as well to test on. 

One of the key areas as well is to make sure that your IDS is properly detecting 
shellcode, and not smothering you with an avalanche of false positives. Properly 
verifying your IDS or IPS for that matter is not an easy task, nor is it a quick one. If 
you want to do it properly you need the requisite skills also. You don't want someone who 
does not even understand the exploits he/she is running to test the signatures. There is 
far more to this then simply throwing exploits at it.

Cheers!

Don

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Mar 11, Frederic Charpentier <fcharpentier () xmcopartners com> wrote:


hi.

Some tools are ok to test an IDS, but this is not the best way to do that.

A tool will generate stupids triggers to wake up your IDS, like old CGIs 
attacks et low-level tcp/ip tricks.
The best way is to be understand the patterns you set up in your IDS.

No matters that some stupid guys performs ping-attacks or silly cgis 
attacks !!

* Try bufferoverflow/shellcodes patterns, and do simple test like : 
copy/paste a shellcode into a telnet session.

* For http intrusion detection, detecting IIS nimda attacks is not 
efficient, try to trigger your IDS with XSS/SQL-Injection techniques is 
much more efficient:
sample :
<a href='http://website/script?req=<script>'>http://website/script?req=<script></a> or <a 
href='http://website/script?req='&apos;>http://website/script?req=&apos;</a> or 1=1

You must understand how an atacker will see you perimeter and then try 
to figure out how they will test and try attacks. Then, it's easy to 
setup IDS pattern and to test them with well-knonw exploit.

"Known yourself and yours vulnerabilities, then you can catch the one 
who want to attack your system."

An attacker will always try a lot of techniques and attacks before the 
real intrusion. This "noise" (like XSS, large port scans, SQL, 
bufferoverflow/shellcode) is easy to detect.

The purpose of an IDS is not to detect the maximum of worms attacks, 
stupid stuffs or the real attack which break into your systems.
The purpose of an IDS is to detect quickly the intruder when he tries or 
when he is already in your systems. Then, you can quickly find him/her 
and stop the attack before damages.


Frederic.




Security Tester wrote:

> Has anyone ever used a product called IDS Informer made by Blade 
> Software?  I am currently looking at different methods/products that can 
> test the functionality and response of production IDS sensors.
>
> I have used stick and snot in the past, but these get old, and quite 
> frankly they really don't test the detection capability of the sensor.  
> They are however great tools for spamming the sensors and slipping in 
> below the radar.
>
> Do any of you have any suggestions as to what might be a good 
> technique/tool to test the responses of the IDS systems, apart from 
> performing the attacks yourself.  I am really looking for some sort of 
> way to replay the attack data on the wire, but not actually target any 
> machines.
>
> Any help would be greatly appreciated.  Thanks in advance.
>
> _________________________________________________________________
> One-click access to Hotmail from any Web page – download MSN Toolbar 
> now! <a 
href='http://clk.atdmt.com/AVE/go/onm00200413ave/direct/01/&apos;>http://clk.atdmt.com/AVE/go/o
nm00200413ave/direct/01/</a>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the 
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> <a 
href='http://www.infosecinstitute.com/courses/ethical_hacking_training.html&apos;>http://www.in
fosecinstitute.com/courses/ethical_hacking_training.html</a>
> ---------------------------------------------------------------------------- 

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
<a 
href='http://www.infosecinstitute.com/courses/ethical_hacking_training.html&apos;>http://www.in
fosecinstitute.com/courses/ethical_hacking_training.html</a>
----------------------------------------------------------------------------




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------