IDS mailing list archives
RE: Testing IDS/IPS Signatures
From: "Matt Foster" <matt.foster () blade-software com>
Date: Tue, 1 Jun 2004 12:10:42 +0100
Hi All, Just to add a couple of comments on IDS Informer, as it is purpose built to test NIDS and IPS devices you should find it very suitable to your requirements. Without going into detail on the product it may be useful to outline the concept behind it. In our labs an attack is run between a client and server, both a successful and unsuccessful attempt where possible. We capture the traffic and then save it into a secured format so that it cannot be tampered with, the file can then be replayed statefully through IDS Informer. IDS Informer typically runs on a Windows laptop with 2 network cards, these cards become two "virtual" PC's and you are able to replay the attack files using one nic as a source and the other as a destination, ip and port information can be spoofed. This means that a fully stateful attack session can be run without requiring the need to target or connect to a live host, this can make testing a very quick and efficient process. IDS Informer has an additional "Evasion" module, see (http://www.blade-software.com/EvasionGateway.htm) which allows a wide range of evasion techniques to be applied to the traffic passing through it. As with all of the testing scenarios, policies can be saved and shared to guarantee repeatable testing. The products offer a "packet" and "audit" level reporting so if you are testing an inline device you can see at what packet the attack was blocked, you can also see any latency. You can download restricted evaluation products from our web site and if you would like to discuss them in more detail or see a live demo please let me know. Regards Matt _____________________________________ Matt Foster Blade-Software Inc. www.blade-software.com Security Verification Management Solutions ______________________________________ -----Original Message----- From: ravivsn () www rocsys com [mailto:ravivsn () www rocsys com] Sent: 29 May 2004 07:32 To: rgula () tenablesecurity com Cc: focus-ids () securityfocus com Subject: Re: Testing IDS/IPS Signatures True, Nessus can help in testing signatures but IMHO, it has limitations. All the nasl scripts in Nessus do not really attempt to run exploits, most of them are ACT_GATHER_INFO means they look only if particular port is opened or checks for an version in the banner received. Also to test all the signatures you need systems which has those vulnerabilties. If not, Nessus is going to fail to show up the results. I have bit experience in testing IDS/IPS signatures. I used Nikto, libwhisker and mutate2. Mutate2 is a good tool which really tests anti NIDS tactics. As far as snot/stick are concerned, they are not intended to test signatures. These tools triggers lot of false positives by generating packets matching the patterns of snort signatures. In a way these tools do help to tune singatures into good shape such that they wont add fire to false positives. Snot/stick will effect IDS like snort but they fail to influence IPS because they lack threee way hand shake and IPS which might have stateful inspection will easily block snot generated packets. I did some work over this and developed e-snot, which when run on snort gave lots of false positives, I can say for almost all signatures there is a false positive. Best Regards, -Ravi ROCSYS Technologies Ltd., http://rocsys.com mail me to : ravivsn () rocsys com
Anyone testing an IPS should attempt to use the denial of service features in Nessus and NeWT to see what is in fact being prevented. Nessus and NeWT contain a wide variety of DOS checks which perform fairly invasive tests. Nessus and NeWT also have a variety of anti-NIDS evasion features built in. For example, you can perform a variety of web vulnerability scans, and have them use URL encoding, TCP desynchronized packets and fragmentation. Although using a vulnerability scanner to test a NIDS is an imperfect test, comparing what a NIDS picks up when evasion is and isn't used during a scan is extremely enlightening. Most people know that Nessus can be obtained from www.nessus.org but they may not know that NeWT is also available as a complimentary download from www.tenablesecurity.com. NeWT is available for Windows XP/2000 and can scan any machine on the local "Class C" network. It performs the same security checks as Nessus, but has it's own interface, reporting and usability features. NeWT Pro is the commercial variant which has no local "Class C" scan limitation. If you have an IDS or IPS in a lab or on a small DMZ, you can use NeWT to launch your tests from any available Windows laptop or server. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com At 06:30 PM 5/27/2004 -0800, Securecatalyst wrote:Hi All, I want to learn if anyone knows any particular tool or product to test and validate IDS/IPS rules and signatures? I know Snot / Stick / Mucus-1 can do a good job however they can not test the signatures when the IDS/IPS does a stateful-inspection. They simpy import the SNORT signatures into packet and inject into the NW to test the rules. However, they do not establish TCP 3-way handshake and stateful engines (specifically for TCP, not UDP/ICMP) simply ignore them. I think Blade Software have some good marketing documents but I also heard that their signature set is not complete to test all. Anybody any experience with this? Further, is there any other way to validate the IDS/IPS signature other than running the attack itself against a vulnerable machine? I think vulnerability assesment tools does not help, due to similar reasons with Snot/Stick. I particularly wonder how TippingPoint, Intruvert, Toplayer and OnseSecure verifies their signatures? Or, do they really verify? If they did, they wouldn't be this many false-positives, right? I know some vendors simply take SNORT signatures and put it into their SNORT modified engine but I am getting lots of complaints around SNORT's noise and false positives. Your input will be highly appreciated. Cheers, --------------------------------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------
--------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- RE: Testing IDS/IPS Signatures Matt Foster (Jun 01)
- <Possible follow-ups>
- RE: Testing IDS/IPS Signatures BLADE Software - Chris Ralph (Jun 17)