Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Test scripts for NIDS
From: ADT <synfinatic () gmail com>
Date: Sat, 4 Sep 2004 18:16:05 -0700

If you're using tcpreplay for performance testing, there are a few
things you should be aware of:

1) Read the FAQ and learn how to tune your OS network stack for best
replay performance.  There is also a listing of common error/warning
messages and detailed meanings.

2) tcpreplay will detect a failure to send a packet (ie: your hardware
can't keep up) and will continue trying to resend the packet until the
hardware catches up.

3) tcpreplay makes a "best effort" in terms of replaying traffic at
the speed you request.  There are a number of things which can make
things difficult:
   a) your pcap only has a few packets
   b) your OS doesn't have a very granular nanosleep() implimentation
   c) and probably others I'm forgetting

Generally speaking I do not recommend using tcpdump to validate unless
you are testing an inline device and you want to know about



On Thu, 2 Sep 2004 21:59:05 -0700, Peter Van Epp <vanepp () sfu ca> wrote:
On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote:
I've gotten alot of suggestions to test the
signatures, i've got some to test the load but they
were $$$, anything out there for free ?

With a software and not an appliance how does one test
the load to know when the IDS can no longer verify
packets and they are being dropped ? Is this included
in the software ?

Thanks again everyone :)

        As several people have mentioned tcpreplay from sourceforge.net is
open source and thus free (at least of capital cost).
        You test to destruction by starting slowly and assume or check that
the IDS catches everything. You then replay the same tcpdump file at ever
increasing speeds until the IDS output changes (usually by failing to detect
one or more signatures). At that point something in the loop is losing packets.
Now you need to verify that it is the IDS and not somewhere else in your
test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with
the IDS network interface sees all the packets you think you sent, then
probably the failure is in the IDS). At any given speed you probably want to
make multiple runs and make sure the IDS reports identically on all of them
since the packet loss will be random and may not occur during a signature
(isn't performance testing fun? :-) )

Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]