Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Test scripts for NIDS

Re: Test scripts for NIDS

From: Peter Van Epp <vanepp_at_sfu.ca>
Date: Thu, 2 Sep 2004 21:59:05 -0700

On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote:
> I've gotten alot of suggestions to test the
> signatures, i've got some to test the load but they
> were $$$, anything out there for free ?
>
> With a software and not an appliance how does one test
> the load to know when the IDS can no longer verify
> packets and they are being dropped ? Is this included
> in the software ?
>
> Thanks again everyone :)
>

        As several people have mentioned tcpreplay from sourceforge.net is
open source and thus free (at least of capital cost).
        You test to destruction by starting slowly and assume or check that
the IDS catches everything. You then replay the same tcpdump file at ever
increasing speeds until the IDS output changes (usually by failing to detect
one or more signatures). At that point something in the loop is losing packets.
Now you need to verify that it is the IDS and not somewhere else in your
test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with
the IDS network interface sees all the packets you think you sent, then
probably the failure is in the IDS). At any given speed you probably want to
make multiple runs and make sure the IDS reports identically on all of them
since the packet loss will be random and may not occur during a signature
(isn't performance testing fun? :-) )

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
Received on Sep 03 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]