Re: Test scripts for NIDS

[ADT <synfinatic () gmail com>]

If you're using tcpreplay for performance testing, there are a few
things you should be aware of:

1) Read the FAQ and learn how to tune your OS network stack for best
replay performance.  There is also a listing of common error/warning
messages and detailed meanings.

2) tcpreplay will detect a failure to send a packet (ie: your hardware
can't keep up) and will continue trying to resend the packet until the
hardware catches up.

3) tcpreplay makes a "best effort" in terms of replaying traffic at
the speed you request.  There are a number of things which can make
things difficult:
   a) your pcap only has a few packets
   b) your OS doesn't have a very granular nanosleep() implimentation
   c) and probably others I'm forgetting


Generally speaking I do not recommend using tcpdump to validate unless
you are testing an inline device and you want to know about
packetloss.

-Aaron

-- 
synfin.net

On Thu, 2 Sep 2004 21:59:05 -0700, Peter Van Epp <vanepp () sfu ca> wrote:
> On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote:
> > I've gotten alot of suggestions to test the
> > signatures, i've got some to test the load but they
> > were $$$, anything out there for free ?
> >
> > With a software and not an appliance how does one test
> > the load to know when the IDS can no longer verify
> > packets and they are being dropped ? Is this included
> > in the software ?
> >
> > Thanks again everyone :)
>
>         As several people have mentioned tcpreplay from sourceforge.net is
> open source and thus free (at least of capital cost).
>         You test to destruction by starting slowly and assume or check that
> the IDS catches everything. You then replay the same tcpdump file at ever
> increasing speeds until the IDS output changes (usually by failing to detect
> one or more signatures). At that point something in the loop is losing packets.
> Now you need to verify that it is the IDS and not somewhere else in your
> test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with
> the IDS network interface sees all the packets you think you sent, then
> probably the failure is in the IDS). At any given speed you probably want to
> make multiple runs and make sure the IDS reports identically on all of them
> since the packet loss will be random and may not occur during a signature
> (isn't performance testing fun? :-) )

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------