Hi,
I would go about testing my IDS in following way .
Assuming u have the test network and u can play
around, I would take the set of application most used
in my network and if feasible create one server each
for the each application we are using. Create a
network with 3 Routes to the internal network via each
iDS and have the 3 Attack machines .
Internal N/w----IDS/IPS 1----Attack Machine 1
----IDS/IPS 2----Attack Machine 2
---- IDS/IPS 3---Attack Machine 3
So steps would be
1. Create the test setup with the application we are
using in the production or Segment which we are trying
to protect. Assuming Internet is the threat as well as
Internal Employee is a threat.
2. Run Pentest on the Network from the Internet ,
Assuming the network being protected by IDS IPS is
internal and the External side is the ur test
Attacker's machine. Please keep the default signature
set, on all the IDS/IPS signatures.
3. See which all ports are open and exploitable with
NMAP/Nessus Combo. Alos u can use Amap and paros
www.parosproxy.org/faq.shtml . (Make sure u have
libwhisker and Hydra installed on the same machine as
nessus.)
4. Download the exploit and execute.
While u do above test ,look for
1. False positive on the each IDS, correct attack
versus the incorrectly alerted attacks.
2. Look for the not identfied attacks false negatives
3. Look at the logging capacity and detection capacity
on the Peak load, say box is 1 Gb through put , put
the box under stress and see.
4. Randomly choose the list of attacks and mix with
the above stess testing. say 10% bad traffic and 90%
normal traffic at line rate of 1 Gbps, u should see
actual box sending 900 Mbps and 100 Mbps being
dropped. Assuming every UDP/TCP session is same
payload and packet size.
5. Check the box with fragroute to evade the signature
detection mechanism.
Hope this helps.
TCP-FIN
--- pentesticle@yahoo.com wrote:
I am preparing to evaluate three IDS's on a test
network. My intent is to replay normal traffic on
the network and have each vendor run their own
system to show the capabilities, then I would like
to run exploits across the network on certain
machines to see how the system detects the exploits
and lastly disable their rule for a particular virus
to simulate a 1 day virus propogation and see how
the systems detect and react to it moving across the
test network.
Does anyone have any experience conducting similar
evaluations?
Any recommendation as to what type of exploits to
run on the systems to get the best results from the
IDS's?
Lastly anyone know where I can get a virus to use
and any recommendations in that area? I was
considering possibly using a honeynet setup for the
virus to propogate to to simulate many systems at
once, but am not 100% certain yet.
Any recommendations or guidance is much appreciated.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
