RE: IDS Testing tool

["Tom Arseneault" <TArseneault () counterpane com>]

I've heard this argument before and while the reasoning sound solid I've
never seen any one quote examples. Has anyone done the research to
support this? If so, and it's not under NDA, could they post a link to a
white paper?

If, as I suspect, the argument is valid and "vulnerability scanner" does
not equal "IDS tester" the question then comes to would it be possible
to write NASL scripts that could validly test an IDS? Is the issue with
the way the current NASL scripts are written or is it something more
fundamental? I dabble but I'm not trained as a programmer so the subtle
stuff escapes me. One thing I do know is that these would have to be a
special class of scripts with big red warnings "Do not live systems,
your job may crash". 

My reason for asking is I know that in my case and possibly others while
I could search for attacks and role my own testing engine, my meager
programming skills makes it quite a labor to build and keep up and I
just don't have the time. And I don't know how much IDS Informer costs
but if it's a lot, selling it to management might be hard and I'm not a
sales geek (I do realize that at least marginally "sales geek" is part
of the security admins job but on a practical note, I'm just not that
good at it). So having something prebuilt that is free and that is
endorsed by the community, even if it's a limited endorsement, would be
great.

Tom

> -----Original Message-----
> From: ADT [mailto:synfinatic () gmail com] 
> Sent: Saturday, June 12, 2004 10:58 AM
> To: Anton A. Chuvakin
> Cc: focus-ids () securityfocus com
> Subject: Re: IDS Testing tool
>
> On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin 
> <anton () chuvakin org> wrote:
> > > Is anyone aware of any open source equivalent of Blade's 
> IDS Informer 
> > > tool to test IDSes? I am aware that TCPReplay can be used to test 
> > > IDSes but then we will need to make actual attacks at 
> least once to 
> > > capture the traffic. Any help would be appreciated.
> >
> > What's wrong with just blasting it with a vuln scanner? Nessus will 
> > generate a lot of noise in most NIDSs and can even be 
> tweaked for more 
> > "noisyness"
>
> Well think about it... a good IDS which limits the number of 
> false positives should detect the actual exploit.  A 
> vulnerability scanner is supposed to check for the 
> vulnerability, *not* to run the actual exploit, b/c then it 
> may crash/root/etc your own box.  Hence, an exploit should 
> look different then a vulnerability check.  Therefore, using 
> Nessus or other vulnerability scanners are a crappy way of 
> testing an IDS.  (Of course if you've got a crappy IDS, then 
> perhaps a crappy test methodology is ok.)
>
> With that in mind, you can either use Blade's IDS Informer or 
> roll your own solution using tcpreplay.
>
> -Aaron
>
> --------------------------------------------------------------
> -------------
>
> --------------------------------------------------------------
> -------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------