IDS mailing list archives
RE: IDS Testing tool
From: "Tom Arseneault" <TArseneault () counterpane com>
Date: Mon, 14 Jun 2004 14:00:21 -0700
I've heard this argument before and while the reasoning sound solid I've never seen any one quote examples. Has anyone done the research to support this? If so, and it's not under NDA, could they post a link to a white paper? If, as I suspect, the argument is valid and "vulnerability scanner" does not equal "IDS tester" the question then comes to would it be possible to write NASL scripts that could validly test an IDS? Is the issue with the way the current NASL scripts are written or is it something more fundamental? I dabble but I'm not trained as a programmer so the subtle stuff escapes me. One thing I do know is that these would have to be a special class of scripts with big red warnings "Do not live systems, your job may crash". My reason for asking is I know that in my case and possibly others while I could search for attacks and role my own testing engine, my meager programming skills makes it quite a labor to build and keep up and I just don't have the time. And I don't know how much IDS Informer costs but if it's a lot, selling it to management might be hard and I'm not a sales geek (I do realize that at least marginally "sales geek" is part of the security admins job but on a practical note, I'm just not that good at it). So having something prebuilt that is free and that is endorsed by the community, even if it's a limited endorsement, would be great. Tom
-----Original Message----- From: ADT [mailto:synfinatic () gmail com] Sent: Saturday, June 12, 2004 10:58 AM To: Anton A. Chuvakin Cc: focus-ids () securityfocus com Subject: Re: IDS Testing tool On Fri, 11 Jun 2004 01:13:29 -0400 (EDT), Anton A. Chuvakin <anton () chuvakin org> wrote:Is anyone aware of any open source equivalent of Blade'sIDS Informertool to test IDSes? I am aware that TCPReplay can be used to test IDSes but then we will need to make actual attacks atleast once tocapture the traffic. Any help would be appreciated.What's wrong with just blasting it with a vuln scanner? Nessus will generate a lot of noise in most NIDSs and can even betweaked for more"noisyness"Well think about it... a good IDS which limits the number of false positives should detect the actual exploit. A vulnerability scanner is supposed to check for the vulnerability, *not* to run the actual exploit, b/c then it may crash/root/etc your own box. Hence, an exploit should look different then a vulnerability check. Therefore, using Nessus or other vulnerability scanners are a crappy way of testing an IDS. (Of course if you've got a crappy IDS, then perhaps a crappy test methodology is ok.) With that in mind, you can either use Blade's IDS Informer or roll your own solution using tcpreplay. -Aaron -------------------------------------------------------------- ------------- -------------------------------------------------------------- -------------
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- IDS Testing tool Arun Vishwanathan (Jun 07)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)
- Re: IDS Testing tool ADT (Jun 13)
- Re: IDS Testing tool Ron Gula (Jun 15)
- Re: IDS Testing tool ADT (Jun 13)
- <Possible follow-ups>
- Re: IDS Testing tool Tobias Klein (Jun 15)
- Re: IDS Testing tool ADT (Jun 15)
- Re: IDS Testing tool dhm (Jun 16)
- Re: IDS Testing tool typhon --- (Jun 16)
- RE: IDS Testing tool BLADE Software - Chris Ralph (Jun 17)
- RE: IDS Testing tool Tom Arseneault (Jun 21)
- Re: IDS Testing tool ADT (Jun 16)
- RE: IDS Testing tool Ron Gula (Jun 21)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)