IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: IDS Testing tool

From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 21 Jun 2004 09:27:06 -0400
At 02:00 PM 6/14/2004 -0700, Tom Arseneault wrote:


If, as I suspect, the argument is valid and "vulnerability scanner" does
not equal "IDS tester" the question then comes to would it be possible
to write NASL scripts that could validly test an IDS? Is the issue with
the way the current NASL scripts are written or is it something more
fundamental? I dabble but I'm not trained as a programmer so the subtle
stuff escapes me. One thing I do know is that these would have to be a
special class of scripts with big red warnings "Do not live systems,
your job may crash".


NASL is not the best place to do this for a self contained NIDS/IPS tester.
NASL can't simulate someone throwing a buffer overflow at a server, and
then getting a root shell. You can write exploits in NASL, but this is not
what Tenable has been trying to do with Nessus. Any NASL check can be
conveniently morphed with several NIDS-bypassing techniques such as
overlapping fragments, but you still need a target to bounce off.

My original post was not so much NIDS testing related, it was IPS related.
Usually, when I do public speaking, I ask folks if they have ever crashed
a router/switch/network with Nessus/NMAP/ISS/Retina/.etc and I usually
get an overwhelming response. And if I ever ask folks if they've run the
Nessus/NeWT DOS family of NASL scripts in their network, I usually get
responses like "I would be fired" or "my network would die". Based on that,
if you are testing an IPS, I think it would be very valuable to run a full
blown scan with Nessus (or our NeWT windows vulnerability scanner) and
also enable the DOS checks. If the IPS is not stopping these sorts of basic
scans and DOS attacks, that is something worth noting, but by no means a
complete test.

Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com/
http://cgi.tenablesecurity.com/tenable/requestForm.php    (NeWT Download)






---------------------------------------------------------------------------

---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: