From: chewy (chewy@pandora.be)
Date: Thu Mar 16 2006 - 01:26:03 EST
Hi Adam,
A DNS version query is what we use to trigger NIDS sensors.
It does not matter whether the destination response yes or no since its
UDP and the trigger is the query. This can be performed to any host no
matter if the host has UDP 53 in listening state or not.
If you have allot of NIDS sensors then port scanning might be noisy.
Also this might not work against a firewalled host.
The same counts for the DNS query.
Another option and the most preferred one is writing your own signature.
I prefer UDP or another stateless protocol to avoid real session
creation.
Am not 100% certain but I do not think there is a real industry standard
packet for this.
Gr,
David
-----Oorspronkelijk bericht-----
Van: AdamT [mailto:adwulf@gmail.com]
Verzonden: woensdag 15 maart 2006 16:09
Aan: pen-test@securityfocus.com
Onderwerp: Triggering IDS
Dear all,
Y'know how there's the EICAR anti virus test file, which lets you see
if your anti-virus is working, well, I was wondering if there was
something similar to let you see what happens when your IDS triggers?
Should I just send a lot of NOPs in a TCP session, or make obvious
port scans, or is there some kind of 'industry standard' way to
deliberately trigger IDS alarms?
-- AdamT 'Thank-you for not requesting read receipts' ------------------------------------------------------------------------ ------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------ ------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:41 EDT