Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Evaluating IDS

Re: Evaluating IDS

From: Justin Heath <justin.heath_at_gmail.com>
Date: Sun, 2 Jul 2006 09:44:42 -0400

If you haven't already check out http://www.nss.co.uk/. This is a good
base to start from when developing a test plan.

As far as what exploits to run, I would say that really depends on
your network. What type of attacks would have the highest impact
network/infrastructure? I would mix that in with a variety a recent
and hard to detect attacks.

Check out tomahawk, tcpreplay, metasploit and fragroute etc. for
replaying/creating/fragging attack traffic. Spirent builds some good
traffic generation devices (Avalanche/Reflector). These are good for
load testing with clean traffic, however they are quite expensive and
there is a slight learning curve if you haven't used them before.

Cheers,
Justin

On 30 Jun 2006 14:09:37 -0000, pentesticle_at_yahoo.com
<pentesticle_at_yahoo.com> wrote:
> I am preparing to evaluate three IDS's on a test network. My intent is to replay normal traffic on the network and have each vendor run their own system to show the capabilities, then I would like to run exploits across the network on certain machines to see how the system detects the exploits and lastly disable their rule for a particular virus to simulate a 1 day virus propogation and see how the systems detect and react to it moving across the test network.
>
>
> Does anyone have any experience conducting similar evaluations?
>
>
> Any recommendation as to what type of exploits to run on the systems to get the best results from the IDS's?
>
>
> Lastly anyone know where I can get a virus to use and any recommendations in that area? I was considering possibly using a honeynet setup for the virus to propogate to to simulate many systems at once, but am not 100% certain yet.
>
>
> Any recommendations or guidance is much appreciated.
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jul 04 2006

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos