Snort mailing list archives
RE: testing ids
From: "Brian Laing" <Brian.Laing () Blade-Software com>
Date: Mon, 17 Mar 2003 15:02:31 -0000
Julio,
You can take a look at our Product it is a purpose built
application for testing IDS and firewalls and can fully inject stateful
attacks in a variety of ways. For each attack we have built up our
Attack Reference library so we have each exploit (compiled, source) with
system images etc. for the target machine and the attacking machine,
allowing us to at any time recreate any attack quickly.
We differ from Stick or snot as we are 100% stateful and inject
100% of the attack, all while allowing you full control over IP, MAC,
TTL and soon many other parameters of the packets. So you can quickly
test the Sensors attack coverage as well as how the sensor and
management console can handled receiving thousands of attacks a minute.
If anyone has any questions about the applications etc. feel
free to reply here, send me an email or give me a call. You can see our
application at www.blade-software.com.
We will be releasing 4.0 early q2 of this year here is some
information on the upcoming release. This release will focus on various
evasion techniques that can be used to evade IDS detection method, using
the following all of which can be combined or used separately;
Cheers,
Brian
. Fragmented packets 8-1024
. Out of sequence (send all packets but packet one then send
packet one)
. Break subprotocol checksum
. Overlapping packets (basic overlaps, garbage packets)
. overlapping fragments (basic overlaps, garbage packets)
. Null fragment (before original, after original)
. HTTP case (lower and mixed)
. HTTP version (0.0,.00,00.)
. Spoofed additional Syn/Ack (broken checksum, broken
subprotocol checksum, ttl short)
. Spoofed Additional Ack (broken checksum, broken subprotocol
checksum, ttl short)
. Spoofed reset (from host, from target, broken checksum, broken
subprotocol checksum, ttl short)
. HTTP URL encoding (unicode, self reference directory, dos
windows slashes, redundant directory traversal, doubleslashes, null
characters, session splicing)
. HTTP method (get, head)
Additionally 4.0 will introduce the following features;
. Increased Attack Library; The informer attack library contains
over 700 fully stateful exploits for testing either signature based or
anomaly based IDS. These attacks were created using Blade Software's
Reference Attack Library which contains source, binary, tech info,
system images, etc. for each attack in the product. This extensive
library of exploits, and system images allows IDS informer to test using
either a successful version of the exploit or an unsuccessful version of
an exploit, furthering increasing the level of testing that can be done.
. Dual Nic session testing; allowing full client server
simulation from any two distinct points on the network
. Improved GUI
o Fully configuration attack groups allowing attacks to be
grouped within groups, export and import of groups
o All configuration exportable to session files allowing for
attacks to quickly be run using a variety of settings, and evasion
techniques
o Improved Attack settings, allowing for Random IP, ranges of IP,
random IP within a range, defined mac address for both source and
destination, and define ports for all attacks
o Updated Attack log allowing for detailed reporting of what
attacks were sent out and their parameters, and also allows for packet
level details for detecting what packets are blocked by Inline IDS
Sensors
. Options Pack enhancements
o Enhanced CLI allowing for API level integration
o Packet crafting engine, allowing for the full creation, and
modification of packets in a graphical format, allowing for full header
and Data load changes of any or all packets in a traffic stream.
-----Original Message-----
From: snort-users-admin@li...
[mailto:snort-users-admin@li...]On Behalf Of Julio
Sent: Friday, March 14, 2003 11:23 AM
To: snort-users@li...
Subject: [Snort-users] testing ids
Hello,
I beginner in IDS and I would like test my ids, what tool I can use
for
it?
Any suggestion ?
Thanks
Julio
Blade Software Nominated In The 8th ANNUAL SC AWARDS
click on http://www.scmagazine.com/awards to vote
*******************************************************************
-------------------------------------------------------------------
Brian Laing
CTO
Blade Software
Cellphone: +1 650.280.2389
Telephone: +1 650 367.9376
eFax: +1 208.575.1374
Blade Software - Because Real Attacks Hurt
http://www.Blade-Software.com
-------------------------------------------------------------------
-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open!
Get cracking and register here for some mind boggling fun and
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- testing ids Julio (Mar 14)
- RE: testing ids Ray Ellington (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Jan van den Berg (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Ray Ellington (Mar 14)
- <Possible follow-ups>
- RE: testing ids Ray Ellington (Mar 14)
- testing ids Julio (Mar 17)
- RE: testing ids Brian Laing (Mar 17)
- RE: RE: testing ids Benjamin Hippler (Mar 17)
- Very Large IDS implementations (was Re: RE: testing ids) Bennett Todd (Mar 17)
- Re: Very Large IDS implementations (was Re: RE: testing ids) Andrea Barisani (Mar 17)
- Very Large IDS implementations (was Re: RE: testing ids) Bennett Todd (Mar 17)
- RE: RE: testing ids Benjamin Hippler (Mar 17)
- RE: RE: testing ids Miller, Eoin (Mar 17)
- RE: RE: testing ids Latha K (Mar 18)
- RE: testing ids Latha K (Mar 18)