IDS mailing list archives
Re: IDS testing methodologies
From: James Riden <j.riden () massey ac nz>
Date: Sat, 03 Jan 2004 11:41:14 +1300
Alvin Oga <alvin.sec () Virtual Linux-Consulting com> writes:
hi ya henrikI'm trying to find out ways of testing different IDS systems; is there a 'recommended'/best practise methodology for testing Network based IDS (NIDS) ? Any information - papers, tools, links and own experience are much appreciated,,, 8-)in my book ... ( small world ) .. an IDS is not very useful, because, the cracker is already in your network ... game over ...
Argh! No! Sooner or later, an attacker will break in to your systems - despite your best efforts. That's when you need an IDS, to track what's happened and what you need to do to clean it up. (Reinstalling 5000+ machines simultaneously not being a feasible option.) It can also help inform you of weaknesses in your firewall, e.g. if you're seeing Slammer packets directed to your internal network there's something up, or of attempted internal attacks. My copy of the 2003 Australian Computer Crime and Security Survey (thanks AusCERT) says 45% of organisations which experienced attacks believe at least one was from an internal source. Bruce Schneier has something to say about investing all your efforts in prevention instead of spreading them across prevention, detection and response. Admittedly I believe he's now selling detection and response services, but he has a very good point. One of the best things I've done in my job so far was to put in an IDS about a month before MSBlaster hit. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer GPG public key available at: http://www.massey.ac.nz/~jriden/ This post does not necessarily represent the views of my employer. --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- IDS testing methodologies Henrik Falkenthros, direktoer (Jan 02)
- Re: IDS testing methodologies Nigel Houghton (Jan 02)
- Re: IDS testing methodologies Ron Gula (Jan 02)
- Re: IDS testing methodologies Alvin Oga (Jan 02)
- Re: IDS testing methodologies James Riden (Jan 05)
- Re: IDS testing methodologies Mike Lyman (Jan 05)
- Re: IDS testing methodologies s tart Alvin Oga (Jan 06)
- Re: IDS testing methodologies Stephen P. Berry (Jan 06)
- Re: IDS testing methodologies Sam f. Stover (Jan 02)
- RE: IDS testing methodologies Henrik Falkenthros, direktoer (Jan 05)
- Re: IDS testing methodologies hoop (Jan 05)
- Re: IDS testing methodologies Raffael Marty (Jan 08)
- <Possible follow-ups>
- RE: IDS testing methodologies Bob Walder (Jan 02)
- RE: IDS testing methodologies Raj_Dhingra (Jan 05)