IDS mailing list archives

Re: Testing IDS with tcpreplay

From: Bob Walder <bwalder () spamcop net>
Date: Sat, 25 Feb 2006 12:59:48 +0100

I should point out that that is exactly what we have to do. We run the same
Metasploit exploit multiple times if it offers options (auto-version,
XP-only, W2K-only, etc) and then we run it against multiple targets, and so
on and so forth to go through all the possible permutations. We will then
find other exploit tools or live variations of the same exploit and do the
same with them (to make sure the IPS cannot ONLY detect the Metasploit
version). 

Where possible, we will also modify live exploits to change the traffic on
the wire whilst accomplishing the same end (i.e. A simplistic example: if
the live exploit loads a buffer with all "A"s we will change that to
randomise the buffer content to make sure that the IPS vendor is looking for
a buffer overflow and not just looking for a bunch of "A"s). Where we cannot
modify the exploit, we can often modify the PCAP

For each test case in our test suite we might have 20, 30, 40 actual replays
to cover a wide range of permutations (though no one would be stupid enough
to claim they cover ALL possible permutations, even running only live
exploits).

And yes, we STILL run live exploits too.... horses for courses....

Bob Walder


On 25/2/06 03:13, "Aaron Turner" <synfinatic () gmail com> wrote:


Well in both cases, you're only testing a particular instance of the
exploit.  If you want to try 500 different instances of a particular
exploit you have to run metasploit 500 times.  But when you test the
another IDS/IPS there is no guarantee that the next 500 times you try
it will look exactly like the first 500 times.  Using
tcpdump/tcpreplay you could capture those 500 tests and replay them
any number of times, thereby making sure that all devices see the same
thing which provides true comparative analysis.




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Testing IDS with tcpreplay, (continued)
- - - Re: Testing IDS with tcpreplay Ivan Arce (Feb 21)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 22)
    - Re: Testing IDS with tcpreplay Greg Shipley (Feb 22)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 23)
    - Re: Testing IDS with tcpreplay Bob Walder (Feb 24)
    - useful real-life example of IDS/IPS Shai Rubin (Feb 23)
    - Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
    - Re: Testing IDS with tcpreplay Ivan Arce (Feb 23)
    - IPS test machine Terry Vernon (Feb 24)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 24)
    - Re: Testing IDS with tcpreplay Bob Walder (Feb 26)
    - Re: Testing IDS with tcpreplay Bob Walder (Feb 23)
    - Re: Testing IDS with tcpreplay Stefano Zanero (Feb 26)
    - Re: Testing IDS with tcpreplay Aaron Turner (Feb 26)
- Re: Testing IDS with tcpreplay Ratna Kumar (Feb 15)
- RE: Testing IDS with tcpreplay Prashant Khandelwal (Feb 19)
  - Re: Testing IDS with tcpreplay Aaron Turner (Feb 19)
  - RE: Testing IDS with tcpreplay Bhaarath (Feb 21)