IDS mailing list archives
Re: Evaluating IDS
From: tcp fin <inet_inaddr () yahoo com>
Date: Mon, 10 Jul 2006 21:45:55 -0700 (PDT)
Hi, I would go about testing my IDS in following way . Assuming u have the test network and u can play around, I would take the set of application most used in my network and if feasible create one server each for the each application we are using. Create a network with 3 Routes to the internal network via each iDS and have the 3 Attack machines . Internal N/w----IDS/IPS 1----Attack Machine 1 ----IDS/IPS 2----Attack Machine 2 ---- IDS/IPS 3---Attack Machine 3 So steps would be 1. Create the test setup with the application we are using in the production or Segment which we are trying to protect. Assuming Internet is the threat as well as Internal Employee is a threat. 2. Run Pentest on the Network from the Internet , Assuming the network being protected by IDS IPS is internal and the External side is the ur test Attacker's machine. Please keep the default signature set, on all the IDS/IPS signatures. 3. See which all ports are open and exploitable with NMAP/Nessus Combo. Alos u can use Amap and paros www.parosproxy.org/faq.shtml . (Make sure u have libwhisker and Hydra installed on the same machine as nessus.) 4. Download the exploit and execute. While u do above test ,look for 1. False positive on the each IDS, correct attack versus the incorrectly alerted attacks. 2. Look for the not identfied attacks false negatives 3. Look at the logging capacity and detection capacity on the Peak load, say box is 1 Gb through put , put the box under stress and see. 4. Randomly choose the list of attacks and mix with the above stess testing. say 10% bad traffic and 90% normal traffic at line rate of 1 Gbps, u should see actual box sending 900 Mbps and 100 Mbps being dropped. Assuming every UDP/TCP session is same payload and packet size. 5. Check the box with fragroute to evade the signature detection mechanism. Hope this helps. TCP-FIN --- pentesticle () yahoo com wrote:
I am preparing to evaluate three IDS's on a test network. My intent is to replay normal traffic on the network and have each vendor run their own system to show the capabilities, then I would like to run exploits across the network on certain machines to see how the system detects the exploits and lastly disable their rule for a particular virus to simulate a 1 day virus propogation and see how the systems detect and react to it moving across the test network. Does anyone have any experience conducting similar evaluations? Any recommendation as to what type of exploits to run on the systems to get the best results from the IDS's? Lastly anyone know where I can get a virus to use and any recommendations in that area? I was considering possibly using a honeynet setup for the virus to propogate to to simulate many systems at once, but am not 100% certain yet. Any recommendations or guidance is much appreciated.
------------------------------------------------------------------------
Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Evaluating IDS Justin Heath (Jul 04)
- <Possible follow-ups>
- Re: Evaluating IDS tcp fin (Jul 12)
- Re: Re: Evaluating IDS jarleay (Jul 21)
- RE: Re: Evaluating IDS Foster, Matthew (Jul 21)