Re: Test scripts for NIDS

From: Peter Van Epp (vanepp@sfu.ca)
Date: Fri Sep 03 2004 - 00:59:05 EDT

• Next message: Iván Arce: "Re: Network Exploitation Tools"
• Previous message: Siles, Raul: "RE: Instant Messenger"
• In reply to: John Madden: "RE: Test scripts for NIDS"
• Next in thread: ADT: "Re: Test scripts for NIDS"
• Reply: ADT: "Re: Test scripts for NIDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, Sep 01, 2004 at 01:54:35PM -0700, John Madden wrote:
> I've gotten alot of suggestions to test the
> signatures, i've got some to test the load but they
> were $$$, anything out there for free ?
>
> With a software and not an appliance how does one test
> the load to know when the IDS can no longer verify
> packets and they are being dropped ? Is this included
> in the software ?
>
> Thanks again everyone :)
>

        As several people have mentioned tcpreplay from sourceforge.net is
open source and thus free (at least of capital cost).
        You test to destruction by starting slowly and assume or check that
the IDS catches everything. You then replay the same tcpdump file at ever
increasing speeds until the IDS output changes (usually by failing to detect
one or more signatures). At that point something in the loop is losing packets.
Now you need to verify that it is the IDS and not somewhere else in your
test setup (hint: if tcpdump or better, a wire speed sniffer in parallel with
the IDS network interface sees all the packets you think you sent, then
probably the failure is in the IDS). At any given speed you probably want to
make multiple runs and make sure the IDS reports identically on all of them
since the packet loss will be random and may not occur during a signature
(isn't performance testing fun? :-) )

Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Iván Arce: "Re: Network Exploitation Tools"
• Previous message: Siles, Raul: "RE: Instant Messenger"
• In reply to: John Madden: "RE: Test scripts for NIDS"
• Next in thread: ADT: "Re: Test scripts for NIDS"
• Reply: ADT: "Re: Test scripts for NIDS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:03 EDT