jess LAND
       www.jessland.net		        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JISK > IDS IPS > Network > Testing IDS_IPS Section Map

NIDS / NIPS Testing

Content Leader: Jess Garcia - Last Updated: August 30, 2006

General Information

  • Refs:
  • NIDS Products Evaluations:
  • Standard test data:
  • Example Tests:
  • Tips
    • "Use the DoS plugins & IDS Evasion features (URL encoding, TCP desynchronized pkts, fragmentation, ...) of the Vulnerability Scanner
    • "I am aware of the fact that SMARTBITS alone is not sufficient to properly test a network IDS. I was merely giving an example of the expense someone has to incur to set up proper simulation environments to exercise their products so they will have good behavior in real-world networks".
  • Snort Testing:
  • "The absolute best way to get Snort to generate events is to go out and grab a bunch of exploits from Packetstorm (or whatever) and run real attacks. It's more work but it'll do the trick. Alternatively, you could go through the Snort rule set and strip out the state management checks like the flow and flowbits keywords and run stick/snot/sneeze. One other alternative is to grab a big pcap of a hacking event like DefCon CTF from someplace and run the traffic back through Snort." Marty Roesch
  • "Snort's TCP inspection capabilities have been immune to "testing" with Snot, Stick, Sneeze, and now Mucus since the implementation of stream4 three years ago. I would not waste time using stateless tools like these to generate TCP traffic of any sort." Richard Bejtlich

Tools

  • Snot
  • Stick
  • FPG
    • The false-positive generator.
    • Not all keywords are supported.
    • Specially pcre is difficult to implement.
  • Sneeze
  • Mucus
  • IDS Informer
    • "This tool not only sends the attacks out on the wire but also completes a three-way handshake with the attack simulating a victim host to make Snort/any IDS think an actual attack is taking place. You can choose from hundreds if not more, attacks from its attack selector. They'll give you a 30-day trial if you want to sniff it out. It is definitely worth a look at!"
  • FTester
  • Evasion Gateway by BLADE Software
    • Runs on Windows machines. Allows you to dynamically set fragemntation thresholds and provide deailed reporting. Its not free but it was designed specifically to work with their other pcap replay tools and can be run on the same machine and doesn't even require and IP stack.
  • Fragrouter
  • Nessus
  • Toast: Shell script which launches 56 different DoS attacks against a victim IP. (Download from PacketStorm)
  • Traffic IQ
    • Designed to test inline network devices such as firewalls, IPS/ IDS, UTM's, routers and switches etc.
    • Traffic IQ Pro uses two network cards to transmit traffic files statefully so that you do not need to have a live target system available, this architecture provides users with numerous benefits including the ability to spoof any source and destination IP, port and MAC address.
  • tcpsic
    • For testing how well the appliance handles fragmented packets
  • nikto & nessus to see how many attacks each one detects
  • metasploit to see how well the appliance handles real attacks.
  • ??? - tools that do a HTTP GET flood
  • CRI - CANVAS Reference Implementation
    • The CRI is basically a subset of Immunity's CANVAS product available for free with an NDA. This subset includes a working LSASS bug so you can test your NIDS or HIDS or NIPS or HIPS for its ability to parse SMB+MSRPC correctly and detect a sample exploit.
    • Facts: This means that the IDS must parse MSRPC and SMB correctly.
    • CRI compliant products: ISS, Intrushield

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.