From: Meidinger Chris (chris.meidinger@badenIT.de)
Date: Thu Mar 16 2006 - 13:21:57 EST
I agree that everyone's needs are different. However, any IDS should trigger on a x-mas or SYN/FIN packet - even a single one without a full-blown portscan.
If you just want to see that your IDS is operational that's a good way to do it. If it doesn't ring the alarm either it's not working or you need a different IDS.
Cheers,
Chris
----- Ursprüngliche Nachricht -----
Von: "Christine Kronberg" <Christine_Kronberg@genua.de>
An: "pen-test@securityfocus.com" <pen-test@securityfocus.com>
Gesendet: 16.03.06 19:09
Betreff: Re: Triggering IDS
Hiho,
> Y'know how there's the EICAR anti virus test file, which lets you see
> if your anti-virus is working, well, I was wondering if there was
> something similar to let you see what happens when your IDS triggers?
>
> Should I just send a lot of NOPs in a TCP session, or make obvious
> port scans, or is there some kind of 'industry standard' way to
> deliberately trigger IDS alarms?
I know of no 'industry standard'. I don't think there is one. If I
want to the test my IDS I use a sample of self written rules which
must trigger. Additionally I have samples of good traffic where my
IDS must not trigger. But this is specific to my needs. To another
person my good traffic may be evil. I think this makes it difficult
to set an 'industry standard'.
A 'industry standard' must fit to all possible situations without
flooding the IDS with alarms. Yet it must be so generell that no
additional software packages are needed. And you must be 100% sure
that there is no chance for a false positive or false negative.
For example: Let's use SYN packets to test the IDS. That should be
no problem for any network. But this is only a part of an IDS. What's
abount IP fragments? Are they properly detected, too? Or any other
unusal settings in the packets? An IDS is far more complex than a
antivirus software.
Cheers,
Christine Kronberg.
-- GeNUA mbH ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/forms/ec.php?pubid=10025 And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:42 EDT