Testing Snort with Blade IDS Informer

[Holger Mense <holger () project2501 de>]

Hello,

I am writing a bachelor thesis about network intrusion detection in general 
and snort in special. I set up a snort based sensor in a real network.

Now I have recently tested my snort sensor (using snort 2.3.2 and latest snort 
rules) with Blade Softwares IDS Informer demo version.

However, I was a bit disappointed about the results. Besides the back orifice 
and the two portscan attempts, my sensor didn't detect anything else of the 
remaining 7 attacks provided by IDS Informer.

In detail it didn't detect
 - TCP DNS Zone Transfer
 - Smurf DOS attempt
 - finger search
 - IIS Unicode Traps
 - IIS htr Buffer Overflow
 - rpc.statd exploit
 - traceroute attempt

I have checked the rules and doesn't have any clue, why my sensor didn't 
detect these attacks. At least from reading rule descriptions I am of the 
opinion, that snort should detect all attacks.

For example I have looked at the rule for the htr Buffer Overlow. In my 
opinion the rule "WEB-IIS ism.dll attempt" should be announced by this attack. 
The rule searches for " .htr" in the packets with uricontent. Looking into the 
tcpdumps of the IDS Informer simulated attack, I see the pattern "!.htr". 

Has someone else on this list tested his sensor(s) with IDS Informer? Were the 
results the same like mine? 

I have also tested my sensor with generating malicious traffic with hping2 and 
fragroute. The detection-engine detected the events. Furthermore I am already 
running my sensor on real network traffic. It already reported incidents.

Thank you for your help,
Holger

-- 
Holger Mense

Attachment: signature.asc
Description: Digital signature