RE: IDS Testing

From: Jerry Shenk (jshenk@decommunications.com)
Date: Wed Mar 10 2004 - 14:47:52 EST


I just run standard tests against them and see if it showed up. Every
IDS alerts on ../../winnt/system32/cmd.exe or something like that. I
sometimes connect manually to a web server where the IDS is in the path
of the traffic. Another idea is to use nmap with the -f (fragments)
switch....every IDS alerts on mall fragments.

I just went through this with a 24x7x365 managed services security
service....they didn't pick up anything...it was a riot!

To be fair, you ought to run attacks in a slowly increasing treat and
see when things start to light up. Some 'attacks' like a portscan might
be listed at a low level and then things should start to crank up as you
launch targeted exploits that match the protected hardware. I'm not
sure the above named cmd.exe 'exploit' should trigger at all if the web
servers are all running Apache.

-----Original Message-----
From: Security Tester [mailto:idstester@hotmail.com]
Sent: Wednesday, March 10, 2004 10:59 AM
To: pen-test@securityfocus.com
Subject: IDS Testing

Has anyone ever used a product called IDS Informer made by Blade
Software?
I am currently looking at different methods/products that can test the
functionality and response of production IDS sensors.

I have used stick and snot in the past, but these get old, and quite
frankly
they really don't test the detection capability of the sensor. They are

however great tools for spamming the sensors and slipping in below the
radar.

Do any of you have any suggestions as to what might be a good
technique/tool
to test the responses of the IDS systems, apart from performing the
attacks
yourself. I am really looking for some sort of way to replay the attack

data on the wire, but not actually target any machines.

Any help would be greatly appreciated. Thanks in advance.

_________________________________________________________________
One-click access to Hotmail from any Web page - download MSN Toolbar
now!
http://clk.atdmt.com/AVE/go/onm00200413ave/direct/01/

------------------------------------------------------------------------

---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT