Penetration Testing mailing list archives
Re: Re: Triggering IDS
From: "Albert Gonzalez" <incodeblood () gmail com>
Date: Thu, 16 Mar 2006 15:05:33 -0600
Hello, On 3/16/06, Meidinger Chris <chris.meidinger () badenit de> wrote:
I agree that everyone's needs are different. However, any IDS should trigger on a x-mas or SYN/FIN packet - even a single one without a full-blown portscan. If you just want to see that your IDS is operational that's a good way to do it. If it doesn't ring the alarm either it's not working or you need a different IDS.
Just because it didn't alert when you scanned, doesn't mean you will need a new IDS. Misconfiguration of such devices is quite common place. You have so many different things that can go wrong when deploying an IDS that I expect it not to work once I have finished configuring it (just to be safe). One thing I have seen often is having an IDS deployed, it is seeing alerts, but folks aren't checking to see whether the device can see the entire stream(flow) of the data. So although they have alerts, they are still missing a significant amount of traffic due to the misconfiguration. But yes, generally when a device is deployed and you point nikto / nessus / nmap at it, you should see it triggering on various signatures. I know for sure that a full blown nessus scan against snort will make it light up like a xmas tree. HTH, - Albert
Cheers, Chris
------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com ------------------------------------------------------------------------------
Current thread:
- AW: Re: Triggering IDS Meidinger Chris (Mar 16)
- Re: Re: Triggering IDS Albert Gonzalez (Mar 16)