IDS mailing list archives
Re: Metasploit and efficacy of IPS devices
From: H D Moore <sflist () digitaloffense net>
Date: Tue, 23 Oct 2007 10:26:53 -0500
Disclaimer: I work on both the Metasploit and BreakingPoint products. Many test labs use Metasploit (along with Core, Canvas, and commercial tools like BreakingPoint) to perform IPS certification. While this isn't a 1:1 of what IPS detects what exploit, the public reports are a good start. http://nsslabs.com/content/category/4/22/42/ http://www.icsalabs.com/icsa/topic.php?tid=4d56$eed283d1-c66d427c$af04-d91faa8c Three things to keep in mind when evaluating an IPS for attack detection. 1) Most IPS products ship with a limited number of signatures enabled by default. In some cases, this signature set is less than a third of the total, resulting in terrible out-of-the-box coverage. If you are going to perform your own test, I suggest running it once with out-of-the-box settings, and again with all signatures enabled. 2) The better exploit tools (Metasploit and BreakingPoint for sure) allow you to change how attacks are delivered via user-configurable options. In Metasploit 3, the "show evasions" command will list numerous parameters that change how traffic is generated and delivered. In the BreakingPoint case, each Strike supports a wide range of evasion options, from Layer 3 all the way to the exploit parameters and payloads. 3) When testing with exploits designed to give you a shell (Metasploit, Core, CANVAS, etc), the IPS may detect the attack based on exploit and tool-specific traffic patterns. For example, one IPS detects common shellcode decoder stubs in the default signature set. This can scew your test results, since these decoder stubs are trivial to modify. Hopefully that wasn't too spammy ;-) -HD On Tuesday 23 October 2007, Ravi Chunduru wrote:
how effectively different vendor IPS boxes detect and prevent attacks generated by Metasploit pen tool? is there any report comparing different IPS boxes related to this?
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Metasploit and efficacy of IPS devices Ravi Chunduru (Oct 23)
- Re: Metasploit and efficacy of IPS devices H D Moore (Oct 23)
- Re: Metasploit and efficacy of IPS devices Jason (Oct 24)
- Re: Metasploit and efficacy of IPS devices H D Moore (Oct 23)