Penetration Testing mailing list archives
RE: IDS Testing
From: "Matt Foster" <matt.foster () blade-software com>
Date: Fri, 12 Mar 2004 16:33:28 -0000
Hi List, We have received quite a lot of emails from people on this list wanting to understand more about IDS Informer and so I thought one generic post here would ensure that the information gets to the right people IDS Informer typically runs on a Windows laptop with two network cards. The cards when plugged into a network become virtual PC's and network card one can send traffic to network card two, when it receives the traffic it then responds to network card one therefore creating a stateful traffic stream. Any device on the network monitoring would believe that two separate computers are talking. IDS Informer has a database of attack files, and tests can be configured using any source and destination ip addresses and ports, you can use, lists, ranges and random for each of the fields. Time delays of up to one hour can be added between each attack as they are ran or between each packet within an attack. IDS Informer has a number of plug-ins to allow additional capability, there is a command line interface for scripting tests and a development kit to allow the conversation of 3rd party capture files into the Informer format. In addition there is also an evasion plug-in which applies techniques such as fragmentation and sending packets out of sequence to any traffic passing through it, this can be used with IDS Informer or can be used in a standalone mode. Firewall Informer provides very much the same capabilities as IDS Informer however it transmits network protocol files rather than attack traffic. All in all the products offer users a self contained testing system running from a normal Windows laptop with two network cards, you do not need a real target host to connect and this means that a wide range of testing can be performed quickly, easily and safely in production environments. Regards Matt _____________________________________ Matt Foster Blade-Software Inc. www.blade-software.com Security Verification Management Solutions ______________________________________ -----Original Message----- From: Frederic Charpentier [mailto:fcharpentier () xmcopartners com] Sent: 11 March 2004 09:30 To: pen-test () securityfocus com Subject: Re: IDS Testing hi. Some tools are ok to test an IDS, but this is not the best way to do that. A tool will generate stupids triggers to wake up your IDS, like old CGIs attacks et low-level tcp/ip tricks. The best way is to be understand the patterns you set up in your IDS. No matters that some stupid guys performs ping-attacks or silly cgis attacks !! * Try bufferoverflow/shellcodes patterns, and do simple test like : copy/paste a shellcode into a telnet session. * For http intrusion detection, detecting IIS nimda attacks is not efficient, try to trigger your IDS with XSS/SQL-Injection techniques is much more efficient: sample : http://website/script?req=<script> or http://website/script?req=' or 1=1 You must understand how an atacker will see you perimeter and then try to figure out how they will test and try attacks. Then, it's easy to setup IDS pattern and to test them with well-knonw exploit. "Known yourself and yours vulnerabilities, then you can catch the one who want to attack your system." An attacker will always try a lot of techniques and attacks before the real intrusion. This "noise" (like XSS, large port scans, SQL, bufferoverflow/shellcode) is easy to detect. The purpose of an IDS is not to detect the maximum of worms attacks, stupid stuffs or the real attack which break into your systems. The purpose of an IDS is to detect quickly the intruder when he tries or when he is already in your systems. Then, you can quickly find him/her and stop the attack before damages. Frederic. Security Tester wrote:
Has anyone ever used a product called IDS Informer made by Blade Software? I am currently looking at different methods/products that can test the functionality and response of production IDS sensors. I have used stick and snot in the past, but these get old, and quite frankly they really don't test the detection capability of the sensor. They are however great tools for spamming the sensors and slipping in below the radar. Do any of you have any suggestions as to what might be a good technique/tool to test the responses of the IDS systems, apart from performing the attacks yourself. I am really looking for some sort of way to replay the attack data on the wire, but not actually target any machines. Any help would be greatly appreciated. Thanks in advance. _________________________________________________________________ One-click access to Hotmail from any Web page – download MSN Toolbar now! http://clk.atdmt.com/AVE/go/onm00200413ave/direct/01/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
--------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- IDS Testing Security Tester (Mar 10)
- Re: IDS Testing Cedric Blancher (Mar 10)
- Re: IDS Testing Clint Bodungen (Mar 11)
- Re: IDS Testing (another way) Clint Bodungen (Mar 11)
- Re: IDS Testing Peter Van Epp (Mar 11)
- RE: IDS Testing Jerry Shenk (Mar 11)
- Re: IDS Testing Clint Bodungen (Mar 12)
- Re: IDS Testing Frederic Charpentier (Mar 11)
- RE: IDS Testing Matt Foster (Mar 12)
- <Possible follow-ups>
- RE: IDS Testing Teicher, Mark (Mark) (Mar 10)
- Re: IDS Testing Pedro Andujar (Mar 15)
- FW: IDS Testing Robert E. Lee (Mar 11)
- Re: IDS Testing Don Parker (Mar 12)