IDS mailing list archives
Re: Worm generating network attack traffic?
From: Jose Nazario <jose () monkey org>
Date: Thu, 4 Dec 2008 16:59:54 -0500 (EST)
my experience in worm simulations with live traffic have roughly found the following:
- you want to simulate probe traffic and network effects (ie TCP
RSTs, ICMP unreachables, congestion in some cases)
- you want to detect a successful exploit
- you want to catch payload transfer
- you want to catch any secondary actions of the new victim
setting two boxes up on the same LAN with one infected and one not will
not get you anything but the probe traffic, no network effects. even if
one box is just nmapping and nessusing it's not going to work out so well.
design your lab with the above in mind. check wormblog for some papers on worm "laboratories" and such.
________ jose nazario, ph.d. http://monkey.org/~jose/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Worm generating network attack traffic? isb_boy3 (Dec 03)
- Re: Worm generating network attack traffic? Tim Grossner (Dec 03)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 04)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- Re: Worm generating network attack traffic? Skyler . Bingham (Dec 08)
- Re: Worm generating network attack traffic? Greg Shipley (Dec 05)
- RE: Worm generating network attack traffic? Libershal, David M. (Dec 04)
- <Possible follow-ups>
- Re: Worm generating network attack traffic? chris (Dec 04)
- Re: Worm generating network attack traffic? Jose Nazario (Dec 05)