IDS mailing list archives
RE: IDS Testing tool
From: Ron Gula <rgula () tenablesecurity com>
Date: Mon, 21 Jun 2004 09:27:06 -0400
At 02:00 PM 6/14/2004 -0700, Tom Arseneault wrote:
If, as I suspect, the argument is valid and "vulnerability scanner" does not equal "IDS tester" the question then comes to would it be possible to write NASL scripts that could validly test an IDS? Is the issue with the way the current NASL scripts are written or is it something more fundamental? I dabble but I'm not trained as a programmer so the subtle stuff escapes me. One thing I do know is that these would have to be a special class of scripts with big red warnings "Do not live systems, your job may crash".
NASL is not the best place to do this for a self contained NIDS/IPS tester. NASL can't simulate someone throwing a buffer overflow at a server, and then getting a root shell. You can write exploits in NASL, but this is not what Tenable has been trying to do with Nessus. Any NASL check can be conveniently morphed with several NIDS-bypassing techniques such as overlapping fragments, but you still need a target to bounce off. My original post was not so much NIDS testing related, it was IPS related. Usually, when I do public speaking, I ask folks if they have ever crashed a router/switch/network with Nessus/NMAP/ISS/Retina/.etc and I usually get an overwhelming response. And if I ever ask folks if they've run the Nessus/NeWT DOS family of NASL scripts in their network, I usually get responses like "I would be fired" or "my network would die". Based on that, if you are testing an IPS, I think it would be very valuable to run a full blown scan with Nessus (or our NeWT windows vulnerability scanner) and also enable the DOS checks. If the IPS is not stopping these sorts of basic scans and DOS attacks, that is something worth noting, but by no means a complete test. Ron Gula, CTO Tenable Network Security http://www.tenablesecurity.com/ http://cgi.tenablesecurity.com/tenable/requestForm.php (NeWT Download) --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: IDS Testing tool, (continued)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)
- Re: IDS Testing tool ADT (Jun 13)
- Re: IDS Testing tool Ron Gula (Jun 15)
- Re: IDS Testing tool ADT (Jun 13)
- Re: IDS Testing tool Tobias Klein (Jun 15)
- Re: IDS Testing tool ADT (Jun 15)
- Re: IDS Testing tool dhm (Jun 16)
- Re: IDS Testing tool typhon --- (Jun 16)
- RE: IDS Testing tool BLADE Software - Chris Ralph (Jun 17)
- RE: IDS Testing tool Tom Arseneault (Jun 21)
- Re: IDS Testing tool ADT (Jun 16)
- RE: IDS Testing tool Ron Gula (Jun 21)
- Re: IDS Testing tool Anton A. Chuvakin (Jun 12)