IDS mailing list archives
RE: interesting paper on testing sig-based IDS
From: "Brian Smith" <bsmith () tippingpoint com>
Date: Thu, 3 Mar 2005 11:03:12 -0600
For what it's worth, I've seen IPSs that cannot deal with TCP or IP fragmentation or overlap testing, so it's worth testing it. Fragroute is the standard tool for doing this testing. Whisker and ADMutate are also good off the shelf tools for evasion testing. I believe the latest version of Blade's software has evasion testing built in. When using these tools, make sure that the set of evasions your testing don't neuter the attack. It's possible to use these tools to hide an attack so effectively with evasions that they evade the target system! The other thing you may have to consider when testing inline IPSs is to realize that they become part of the network infrastructure -- every packet in the network goes through them, often multiple times. So evaluating performance is often as important as evaluating seucrity, and the actual performance of the devices is all over the map. If their throughput, latency, or other performance characteristics are unacceptable in your situation, that's also a show stopper. We have a customer, for instance, that regularly processes > 600K packets per second. This was a requirement for his environment, and if an IPS couldn't keep up with this, it wasn't worth considering. The tricky part of this testing performance is that the code path executed by an IPS, and therefore the performance, is dependent on the type of traffic. For example, a different code path will be executed for HTTP vs. DNS. If processing a DNS packet takes a long time, this won't show up if you test with a pure HTTP mix, or a smartbits set to send ethernet frames filled with 0s. So it's important to use the protocol mix used in the target network when testing performance. Tomahawk (tomahawk.sourceforge.net) is a tool I developed to replay traffic from a target network through the IPS for performance testing. Finally, test that the IPS can block attacks and maintain throughput at the same time. It doesn't do much good if the IPS starts missing attacks under load, or slows to a crawl under attack. I usually test with an attack rate I'd expect in the next worm outbreak (maybe 100 - 2000 attack/second, depending on how fast your network is). HTH Brian ________________________________________ From: buineach [mailto:securesolutions () gmail com] Sent: Tue 3/1/2005 5:58 PM To: Jonathon Giffin Cc: Kohlenberg, Toby; focus-ids () lists securityfocus com; Shai Rubin Subject: Re: interesting paper on testing sig-based IDS Hi I just joined this forum so apologies if this has been asked/answered before. Is this tool available to the general public as I do a lot of IPS testing and would like to verify further the framentation and TCP segment handling of these inline products. ? I have been assuming that all current IPS products have mechanisms to deal with evasion techniques like this but as the NSS testing results show a lot of current IPS solutions are nothing more than the offline IDS they were before with many signatures disabled with 2 NIC's. A real concern I have with inline IPS that depend on a central CPU to deal with fragmentation and segmentation evasion is that an overload attack with this traffic will make the IPS the weakest link in the network. I have ruled out many IPS vendors based on using ISIC through the IPS but would like to have a more specific tool to deal with TCP segment shifting with metasploit framework for example to see who fails here. Any info appreciated. Mick On Mon, 28 Feb 2005 10:32:20 -0600, Jonathon Giffin <giffin () cs wisc edu> wrote:
Kohlenberg, Toby wrote:http://www.cs.ucsb.edu/~vigna/pub/2004_vigna_robertson_balzarotti_CCS04. pdfYou may also be interested in Automatic Generation and Analysis of NIDS Attacks by Rubin, Jha, and Miller from ACSAC 2004. http://www.cs.wisc.edu/wisa/papers/acsac04/RJM04.pdf Abstract: A common way to elude a signature-based NIDS is to transform an attack instance that the NIDS recognizes into another instance that it misses. For example, to avoid matching the attack payload to a NIDS signature, attackers split the payload into seversl TCP packets or hide it between benign messages. We observe that different attack instances can be derived from each other using simple transformations. We model these transformations as inference rules in a natural-deduction system. Starting from an exemplary attack instance, we use an inference engine to automatically generate all possible instances derived by a set of rules. The result is a simple yet powerful tool capable of both generating attack instances for NIDS testing and determining whether a given sequence of packets is an attack. In several testing phases using different sets of rules, our tool exposed serious vulnerabilities in Snort--a widely deployed NIDS. Attackers acquainted with these vulnerabilities would have been able to construct instances that elude Snort for any TCP-based attack, any Web-CGI attack, and any attack whose signature is a certain type of regular expression. Disclaimer: I am part of the same research group as the authors of this paper. Thanks, Jon -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- interesting paper on testing sig-based IDS Kohlenberg, Toby (Feb 28)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Shai Rubin (Mar 02)
- Re: interesting paper on testing sig-based IDS buineach (Mar 02)
- Re: interesting paper on testing sig-based IDS Giovanni Vigna (Mar 02)
- Re: interesting paper on testing sig-based IDS Stefano Zanero (Mar 04)
- Re: interesting paper on testing sig-based IDS Richard Bejtlich (Mar 02)
- <Possible follow-ups>
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 04)
- RE: interesting paper on testing sig-based IDS Jose Maria Lopez Hernandez (Mar 06)
- RE: interesting paper on testing sig-based IDS Kyle Quest (Mar 06)
- RE: interesting paper on testing sig-based IDS Brian Smith (Mar 06)
- RE: interesting paper on testing sig-based IDS Micheal Reynolds (Mar 06)
- Re: interesting paper on testing sig-based IDS Jonathon Giffin (Mar 01)