IDS mailing list archives
Re: Testing IDS with tcpreplay
From: Bob Walder <bwalder () spamcop net>
Date: Sat, 25 Feb 2006 12:59:48 +0100
I should point out that that is exactly what we have to do. We run the same Metasploit exploit multiple times if it offers options (auto-version, XP-only, W2K-only, etc) and then we run it against multiple targets, and so on and so forth to go through all the possible permutations. We will then find other exploit tools or live variations of the same exploit and do the same with them (to make sure the IPS cannot ONLY detect the Metasploit version). Where possible, we will also modify live exploits to change the traffic on the wire whilst accomplishing the same end (i.e. A simplistic example: if the live exploit loads a buffer with all "A"s we will change that to randomise the buffer content to make sure that the IPS vendor is looking for a buffer overflow and not just looking for a bunch of "A"s). Where we cannot modify the exploit, we can often modify the PCAP For each test case in our test suite we might have 20, 30, 40 actual replays to cover a wide range of permutations (though no one would be stupid enough to claim they cover ALL possible permutations, even running only live exploits). And yes, we STILL run live exploits too.... horses for courses.... Bob Walder On 25/2/06 03:13, "Aaron Turner" <synfinatic () gmail com> wrote:
Well in both cases, you're only testing a particular instance of the exploit. If you want to try 500 different instances of a particular exploit you have to run metasploit 500 times. But when you test the another IDS/IPS there is no guarantee that the next 500 times you try it will look exactly like the first 500 times. Using tcpdump/tcpreplay you could capture those 500 tests and replay them any number of times, thereby making sure that all devices see the same thing which provides true comparative analysis.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Testing IDS with tcpreplay, (continued)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 21)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 22)
- Re: Testing IDS with tcpreplay Greg Shipley (Feb 22)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 23)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 24)
- useful real-life example of IDS/IPS Shai Rubin (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
- IPS test machine Terry Vernon (Feb 24)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 24)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 26)
- Re: Testing IDS with tcpreplay Bob Walder (Feb 23)
- Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 26)
- Re: Testing IDS with tcpreplay Aaron Turner (Feb 19)
- RE: Testing IDS with tcpreplay Bhaarath (Feb 21)