Snort mailing list archives
RE: testing ids
From: "Brian Laing" <Brian.Laing () Blade-Software com>
Date: Mon, 17 Mar 2003 15:02:31 -0000
Julio, You can take a look at our Product it is a purpose built application for testing IDS and firewalls and can fully inject stateful attacks in a variety of ways. For each attack we have built up our Attack Reference library so we have each exploit (compiled, source) with system images etc. for the target machine and the attacking machine, allowing us to at any time recreate any attack quickly. We differ from Stick or snot as we are 100% stateful and inject 100% of the attack, all while allowing you full control over IP, MAC, TTL and soon many other parameters of the packets. So you can quickly test the Sensors attack coverage as well as how the sensor and management console can handled receiving thousands of attacks a minute. If anyone has any questions about the applications etc. feel free to reply here, send me an email or give me a call. You can see our application at www.blade-software.com. We will be releasing 4.0 early q2 of this year here is some information on the upcoming release. This release will focus on various evasion techniques that can be used to evade IDS detection method, using the following all of which can be combined or used separately; Cheers, Brian . Fragmented packets 8-1024 . Out of sequence (send all packets but packet one then send packet one) . Break subprotocol checksum . Overlapping packets (basic overlaps, garbage packets) . overlapping fragments (basic overlaps, garbage packets) . Null fragment (before original, after original) . HTTP case (lower and mixed) . HTTP version (0.0,.00,00.) . Spoofed additional Syn/Ack (broken checksum, broken subprotocol checksum, ttl short) . Spoofed Additional Ack (broken checksum, broken subprotocol checksum, ttl short) . Spoofed reset (from host, from target, broken checksum, broken subprotocol checksum, ttl short) . HTTP URL encoding (unicode, self reference directory, dos windows slashes, redundant directory traversal, doubleslashes, null characters, session splicing) . HTTP method (get, head) Additionally 4.0 will introduce the following features; . Increased Attack Library; The informer attack library contains over 700 fully stateful exploits for testing either signature based or anomaly based IDS. These attacks were created using Blade Software's Reference Attack Library which contains source, binary, tech info, system images, etc. for each attack in the product. This extensive library of exploits, and system images allows IDS informer to test using either a successful version of the exploit or an unsuccessful version of an exploit, furthering increasing the level of testing that can be done. . Dual Nic session testing; allowing full client server simulation from any two distinct points on the network . Improved GUI o Fully configuration attack groups allowing attacks to be grouped within groups, export and import of groups o All configuration exportable to session files allowing for attacks to quickly be run using a variety of settings, and evasion techniques o Improved Attack settings, allowing for Random IP, ranges of IP, random IP within a range, defined mac address for both source and destination, and define ports for all attacks o Updated Attack log allowing for detailed reporting of what attacks were sent out and their parameters, and also allows for packet level details for detecting what packets are blocked by Inline IDS Sensors . Options Pack enhancements o Enhanced CLI allowing for API level integration o Packet crafting engine, allowing for the full creation, and modification of packets in a graphical format, allowing for full header and Data load changes of any or all packets in a traffic stream. -----Original Message----- From: snort-users-admin@li... [mailto:snort-users-admin@li...]On Behalf Of Julio Sent: Friday, March 14, 2003 11:23 AM To: snort-users@li... Subject: [Snort-users] testing ids Hello, I beginner in IDS and I would like test my ids, what tool I can use for it? Any suggestion ? Thanks Julio Blade Software Nominated In The 8th ANNUAL SC AWARDS click on http://www.scmagazine.com/awards to vote ******************************************************************* ------------------------------------------------------------------- Brian Laing CTO Blade Software Cellphone: +1 650.280.2389 Telephone: +1 650 367.9376 eFax: +1 208.575.1374 Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com ------------------------------------------------------------------- ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- testing ids Julio (Mar 14)
- RE: testing ids Ray Ellington (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Jan van den Berg (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Ashley Thomas (Mar 14)
- RE: testing ids Ray Ellington (Mar 14)
- <Possible follow-ups>
- RE: testing ids Ray Ellington (Mar 14)
- testing ids Julio (Mar 17)
- RE: testing ids Brian Laing (Mar 17)
- RE: RE: testing ids Benjamin Hippler (Mar 17)
- Very Large IDS implementations (was Re: RE: testing ids) Bennett Todd (Mar 17)
- Re: Very Large IDS implementations (was Re: RE: testing ids) Andrea Barisani (Mar 17)
- Very Large IDS implementations (was Re: RE: testing ids) Bennett Todd (Mar 17)
- RE: RE: testing ids Benjamin Hippler (Mar 17)
- RE: RE: testing ids Miller, Eoin (Mar 17)
- RE: RE: testing ids Latha K (Mar 18)
- RE: testing ids Latha K (Mar 18)