Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Testing IDS with tcpreplay

from [ehanselman] Network Security [Permanent Link]
Subject: Re: Testing IDS with tcpreplay
Date: Tue, 14 Feb 2006 14:17:56 -0500
Rather than replaying, you'll get a much better view of how well the IDS works if you use real attacks with real obfuscation techniques. Metasploit is a great tool for this (www.metasploit.org).

Setting up Metasploit doesn't have to be hard. There are a bunch of tutorials on using a Whax (bootable Linux CD) ISO image to run from. Simply pop in the CD and boot.

The one hitch is that you'll need to have real victims to attack. Setting up a few target systems as VMWare images makes testing simple. You can use the snapshot capability to return the victim to a pre-attack state.

The problem with pcaps is that you're working with exploits that have already been seen and are static. If your goal is to determine IDS effectiveness, using real attacks is better.

- Eric


-----Original Message-----
From: Elias-Bachrach, Ari (HQ-WRH10) <aeliasba@nasa.gov>
To: Focus-Ids Mailing List <focus-ids@securityfocus.com>
Sent: Mon, 13 Feb 2006 17:07:50 -0500
Subject: Testing IDS with tcpreplay

I'm trying to do some IDS testing, and after digging through the list archives,
the method that appeals the most to me (based in it being both free and very
useful for my current situation), is using tcpreplay with some pcap files to
replay various network attacks and see if the IDS picks them up. My problem is
this - I can't seem to locate a good source of pcap files online that I can
replay. I've tried the usual suspects (defcon, sourcefire, etc.), but I can't
seem to locate any. If anyone knows of any trace files of network attacks
(especially successful attacks) that can be replayed to test an IDS, I'd
certainly appreciate it.

thanks


Ari Elias-Bachrach
NASA OIG
aeliasba@nasa.gov
(202) 358-4578

___________________________________________________
Try the New Netscape Mail Today!
Virtually Spam-Free | More Storage | Import Your Contact List
http://mail.netscape.com


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Testing IDS with tcpreplay, Elias-Bachrach, Ari (HQ-WRH10)
Next by Date:  Re: Real world experience with HIDS, Sebastien Tricaud
Previous by Thread:  Testing IDS with tcpreplay, Elias-Bachrach, Ari (HQ-WRH10)
Next by Thread:  Re: Testing IDS with tcpreplay, Aaron Turner
Indexes:  [Date] [Thread] [Top] [All Lists]