To test IPS/IDS box.
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
To test IPS/IDS box.
by Paari
::
Rate this Message:
Hi guys,
Can you please give me some reference or links on how to test IPS/IDS hardware box. Thanks, Paari |
|
|
Re: To test IPS/IDS box.
by Jamie Riden
::
Rate this Message:
Try to break into the network (make sure you have explicit permission
first!) and see if it stops you, or alerts. Have a play with nessus, nmap and metasploit for example. I wouldn't actually go as far as attempting to infect the network with a virus- if it did work then you would have serious problems. You could try it on a completely isolated test network. cheers, Jamie On 05/05/2008, Paari <paarim@...> wrote: > > Hi guys, > > Can you please give me some reference or links on how to test IPS/IDS > hardware box. > > > Thanks, > Paari -- Jamie Riden / jamesr@... / jamie@... UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: To test IPS/IDS box.
by Joshua Gimer
::
Rate this Message:
There are several tools that you can use to aid in testing.
I would use some automated scanning tools first such as Nessus; this will show you how much information can be gathered about a remote system. Metasploit can also be of use in this situation. I would suggest looking into the ips_filter.rb plugin. You can also check some conference archives, and SANS reading room for more ideas, and techniques. http://www.sans.org/reading_room/ http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html I know that there was a presentation that was done in 2006 about, ids and ips evasion. I am sure that there are ton's of others. Joshua Gimer On May 5, 2008, at 11:10 AM, Jamie Riden wrote: > Try to break into the network (make sure you have explicit permission > first!) and see if it stops you, or alerts. Have a play with nessus, > nmap and metasploit for example. > > I wouldn't actually go as far as attempting to infect the network with > a virus- if it did work then you would have serious problems. You > could try it on a completely isolated test network. > > cheers, > Jamie > > On 05/05/2008, Paari <paarim@...> wrote: >> >> Hi guys, >> >> Can you please give me some reference or links on how to test >> IPS/IDS >> hardware box. >> >> >> Thanks, >> Paari > > -- > Jamie Riden / jamesr@... / jamie@... > UK Honeynet Project: http://www.ukhoneynet.org/ > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
|
|
|
Re: To test IPS/IDS box.
by Leon Ward-2
::
Rate this Message:
Hi.
Comments _inline On 5 May 2008, at 20:28, Joshua Gimer wrote: > There are several tools that you can use to aid in testing. > I would use some automated scanning tools first such as Nessus; this > will show you how much information can be gathered about a remote > system. If an IPS was to *block* all traffic that would allow remote device enumeration, it would break the network. Sure, some specific enumeration attempts can prevented but these would have to be looked at on a case by case basis. As a rule, Nessus, and its closed source VA alternatives are not normally useful for testing IPS. > Metasploit can also be of use in this situation. I would suggest > looking into the ips_filter.rb plugin. > You can also check some conference archives, and SANS reading room > for more ideas, and techniques. Yes, Metasploit is one good tool for your (and everyones) kit-bag, but it doesn't provide the reproducibility for a real good test. Even though you can run the same exploit/payload/options over and over again inside Metasploit, the target device may change state. I would recommend taking a set of pcaps *you* create that *you want* your IPS to block (Maybe using metasploit or other tool of choice). You can then replay these over and over again to re-create the same test environment. The same rule applies for clean traffic. Once you have this clean/dirty baseline you can introduce tuning and even different devices for coparisron. This then leaves the qualitative testing of what device can be managed best, used for event analysis best, produces the most meaningful reports etc etc Regards -Leon > http://www.sans.org/reading_room/ > > http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html > > I know that there was a presentation that was done in 2006 about, > ids and ips evasion. I am sure that there are ton's of others. > > Joshua Gimer > > > On May 5, 2008, at 11:10 AM, Jamie Riden wrote: > >> Try to break into the network (make sure you have explicit permission >> first!) and see if it stops you, or alerts. Have a play with nessus, >> nmap and metasploit for example. >> >> I wouldn't actually go as far as attempting to infect the network >> with >> a virus- if it did work then you would have serious problems. You >> could try it on a completely isolated test network. >> >> cheers, >> Jamie >> >> On 05/05/2008, Paari <paarim@...> wrote: >>> >>> Hi guys, >>> >>> Can you please give me some reference or links on how to test >>> IPS/IDS >>> hardware box. >>> >>> >>> Thanks, >>> Paari >> >> -- >> Jamie Riden / jamesr@... / jamie@... >> UK Honeynet Project: http://www.ukhoneynet.org/ >> >> ------------------------------------------------------------------------ >> Test Your IDS >> >> Is your IDS deployed correctly? >> Find out quickly and easily by testing it >> with real-world attacks from CORE IMPACT. >> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw >> to learn more. >> ------------------------------------------------------------------------ >> > > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing itwith real-world attacks > from CORE IMPACT. > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto > learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: To test IPS/IDS box.
by Paari
() ::
Rate this Message:
Hi Guys,
Thank you so much, for all your replies. But there is some misconception from my query. I actually meant how to test the IPS hardware box, like testing the processor and the sensing ports and how to melt down the IPS hardware box. Basically the general guide line for testing the IPS/IDS hardware box. Do we need any specific tools for this? Iam sorry for not making to the point in my pervious post. Thanks, Paari |
|
|
Re: To test IPS/IDS box.
by "Zow" Terry Brugger-2
::
Rate this Message:
> Thank you so much, for all your replies. But there is some misconception
> from my query. I actually meant how to test the IPS hardware box, like > testing the processor and the sensing ports and how to melt down the IPS > hardware box. Basically the general guide line for testing the IPS/IDS > hardware box. Do we need any specific tools for this? NSS Labs ( http://nsslabs.com/ ) is an outfit that does exactly this. They do use specialized equipment, such as the Spirent Avalanche to do this, but you could probably rig up a simplified version with some bare-bones Linux boxes (I would recommend using dedicated Intel NICs) on a separate network and some tools like netcat, hping, and the afore mentioned metasploit. The thing I really like about NSS Labs is that they publish their evaluation criteria, which you can find on their website. This criteria looks not just at detection of exploits, but at performance issues and evasion as well (who cares what an IDS can detect if an attacker can just put it out of commission first?). Hope this helps, Terry ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
Re: To test IPS/IDS box.
by Aaron Turner-2
::
Rate this Message:
On Tue, May 6, 2008 at 6:14 AM, Paari <paarim@...> wrote:
> > Hi Guys, > > Thank you so much, for all your replies. But there is some misconception > from my query. I actually meant how to test the IPS hardware box, like > testing the processor and the sensing ports and how to melt down the IPS > hardware box. Basically the general guide line for testing the IPS/IDS > hardware box. Do we need any specific tools for this? > > Iam sorry for not making to the point in my pervious post. Since different IPS's use different hardware, your tests will need to be specific to your hardware. Honestly, I have no idea what the goals, intent or value of testing in the manner you suggest, so I can't really contribute other then say, if you want to melt down the box, you'll need a significant heat source. Most home improvement/hardware stores sell blow torches which would be a good starting point. While you're at it, I'd also suggest testing the box's resistance to gunfire. You can start with .22LR and move up from there. Depending on your expected adversary you can use standard NATO calibers or whatever makes sense. Fun and educational! -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing & replay tools for Unix They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
|
|
RE: To test IPS/IDS box.
by Srinivasa Addepalli
::
Rate this Message:
***My earlier email bounced back and hence resending it. I am sorry if you
receive this email twice. Hi Paari, You saw many good replies on tools and methodologies. Another important aspect in testing is to measure the performance and ensure that it satisfies the target network requirements. Many IPS vendors tend to give UDP performance numbers. It is a good metric which provides the capability of hardware and software. But, any typical network will not have just UDP traffic. Hence, you need to test and evaluate IPS/IDS with respect to different protocols such as HTTP, SIP, RTP, FTP, SMTP, IMAP, POP3 etc.. Typical metrics one would like to get for each protocol is - Throughput, Connection rate, Latency and jitter. IXIA and SmartBits are some of the commercial boxes you can use to measure these. Thanks Srini -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Paari Sent: Monday, May 05, 2008 12:19 AM To: focus-ids@... Subject: To test IPS/IDS box. Hi guys, Can you please give me some reference or links on how to test IPS/IDS hardware box. Thanks, Paari -- View this message in context: http://www.nabble.com/To-test-IPS-IDS-box.-tp17053955p17053955.html Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in tro_sfw to learn more. ------------------------------------------------------------------------ ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ |
| Free Forum Powered by Nabble | Forum Help |