Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Triggering IDS

From: Christine Kronberg <Christine_Kronberg () genua de>
Date: Thu, 16 Mar 2006 10:15:53 +0100 (CET)

  Hiho,



Y'know how there's the EICAR anti virus test file, which lets you see
if your anti-virus is working, well, I was wondering if there was
something similar to let you see what happens when your IDS triggers?

Should I just send a lot of NOPs in a TCP session, or make obvious
port scans, or is there some kind of 'industry standard' way to
deliberately trigger IDS alarms?


  I know of no 'industry standard'. I don't think there is one. If I
  want to the test my IDS I use a sample of self written rules which
  must trigger. Additionally I have samples of good traffic where my
  IDS must not trigger. But this is specific to my needs. To another
  person my good traffic may be evil. I think this makes it difficult
  to set an 'industry standard'.

  A 'industry standard' must fit to all possible situations without
  flooding the IDS with alarms. Yet it must be so generell that no
  additional software packages are needed. And you must be 100% sure
  that there is no chance for a false positive or false negative.
  For example: Let's use SYN packets to test the IDS. That should be
  no problem for any network. But this is only a part of an IDS. What's
  abount IP fragments? Are they properly detected, too? Or any other
  unusal settings in the packets? An IDS is far more complex than a
  antivirus software.

  Cheers,


                                                Christine Kronberg.

--
GeNUA mbH


------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com 
------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: