Penetration Testing mailing list archives
Testing IPS with virtual vs real attacks
From: Alcides <alcides.hercules () gmail com>
Date: Tue, 18 Jan 2011 04:16:47 -0500
Hi All, I have come across something little hard to digest. I want to know your expert views on this. Here's the scenario: An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one of our clients. IPS is running in 'promiscuous mode' and plaugged into the SPAN port at the core switch. We have written a bash script which we run from the 'attacker' machine(192.168.1.1). It first does a portscan and then throws an exploit code at the vulnerable webserver in our network(192.168.1.101). We expected our IPS to raise at least 2 alerts. Problem 1: Now, whenever we launch nmap to scan for two ports, IPS does not show any alert. nmap -sS -n -p 80,443 192.168.1.101 But, if we run the nmap from CLI without -p switch, IPS shows an alert. nmap -sS -n 192.168.1.101 What could be the reason behind this? Problem 2: When we send the SQL injection payload using script, it is not caught by IPS. While troubleshooting, we confirmed (using netcat listener at victim - instead of real web server) that ' or '1'='1 string reaches the server machine. If packets with that SQL payload are travelling through the same network, why IPS is not seeing them? We could not find the answer. Going one step ahead, when we submitted the same string in the URL request from attacker's browser, it was caught by IPS Same happens with all other attack paylods that we are throwing towards real or virtual (netcat listener) servers, using netcat. Why IPS is unable to see these attacks? Thanks, Alcides ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Testing IPS with virtual vs real attacks Alcides (Jan 18)
- Re: Testing IPS with virtual vs real attacks Dan Catalin Vasile (Jan 20)
- Re: Testing IPS with virtual vs real attacks Alcides (Jan 23)
- Re: Testing IPS with virtual vs real attacks Dan Catalin Vasile (Jan 20)