Testing IPS with virtual vs real attacks

[Alcides <alcides.hercules () gmail com>]

Hi All,

I have come across something little hard to digest. I want to know
your expert views on this.

Here's the scenario:
An IPS (Cisco 4260) is being tested in a pre-deployment phase, at one
of our clients. IPS is running in 'promiscuous mode' and plaugged into
the SPAN port at the core switch.

We have written a bash script which we run from the 'attacker'
machine(192.168.1.1). It first does a portscan and then throws an
exploit code at the vulnerable webserver in our
network(192.168.1.101). We expected our IPS to raise at least 2
alerts.

Problem 1:
Now, whenever we launch nmap to scan for two ports, IPS does not show
any alert.
nmap -sS -n -p 80,443  192.168.1.101

But, if we run the nmap from CLI without -p switch, IPS shows an alert.
nmap -sS -n 192.168.1.101

What could be the reason behind this?


Problem 2:
When we send the SQL injection payload using script, it is not caught
by IPS. While troubleshooting, we confirmed (using netcat listener at
victim - instead of real web server) that ' or '1'='1 string reaches
the server machine. If packets with that SQL payload are travelling
through the same network, why IPS is not seeing them? We could not
find the answer.
Going one step ahead, when we submitted the same string in the URL
request from attacker's browser, it was caught by IPS

Same happens with all other attack paylods that we are throwing
towards real or virtual (netcat listener) servers, using netcat.

Why IPS is unable to see these attacks?


Thanks,
Alcides

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------