Re: IDS Testing

From: Clint Bodungen (clint@secureconsulting.com)
Date: Thu Mar 11 2004 - 16:08:00 EST

• Next message: Vincent.Maes@aps.com: "RE: Ethernet TAP's"
• Previous message: Security Tester: "Ethernet Taps"
• In reply to: Jerry Shenk: "RE: IDS Testing"
• Next in thread: Frederic Charpentier: "Re: IDS Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Wednesday, March 10, 2004 1:47 PM
Subject: RE: IDS Testing

> I just run standard tests against them and see if it showed up. Every
> IDS alerts on ../../winnt/system32/cmd.exe or something like that. I
> sometimes connect manually to a web server where the IDS is in the path
> of the traffic. Another idea is to use nmap with the -f (fragments)
> switch....every IDS alerts on mall fragments.

> I just went through this with a 24x7x365 managed services security
> service....they didn't pick up anything...it was a riot!

> To be fair, you ought to run attacks in a slowly increasing treat and
> see when things start to light up. Some 'attacks' like a portscan might
> be listed at a low level and then things should start to crank up as you
> launch targeted exploits that match the protected hardware. I'm not
> sure the above named cmd.exe 'exploit' should trigger at all if the web
> servers are all running Apache.

Fragmenting packets is a common IDS evasion technique... especially on older
IDS's. Many IDS's still don't reassemble the session properly. Then, when
you combine fragmentation with slowing your traffic down, you really test
the evasion boundaries of the IDS. The last IDS I worked on could be evaded
quite easily by slowing your attack or scan down somewhat (a little patience
goes a long way). A less stealthy technique is to hit the IDS with a D.O.S.
first (provided it's a pass-by and not a pass-through) while initiating your
attack on your actual target. This will test the IDS's ability to track
sessions properly and pick out the attack while getting hammered with D.O.S.
or other trash/decoy packets.

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Next message: Vincent.Maes@aps.com: "RE: Ethernet TAP's"
• Previous message: Security Tester: "Ethernet Taps"
• In reply to: Jerry Shenk: "RE: IDS Testing"
• Next in thread: Frederic Charpentier: "Re: IDS Testing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT