« Return to Thread: To test IPS/IDS box.
Re: To test IPS/IDS box.
by Leon Ward-2
::
Rate this Message:
Hi.
Comments _inline
On 5 May 2008, at 20:28, Joshua Gimer wrote:
> There are several tools that you can use to aid in testing.
> I would use some automated scanning tools first such as Nessus; this
> will show you how much information can be gathered about a remote
> system.
If an IPS was to *block* all traffic that would allow remote device
enumeration, it would break the network. Sure, some specific
enumeration attempts can prevented but these would have to be looked
at on a case by case basis. As a rule, Nessus, and its closed source
VA alternatives are not normally useful for testing IPS.
> Metasploit can also be of use in this situation. I would suggest
> looking into the ips_filter.rb plugin.
> You can also check some conference archives, and SANS reading room
> for more ideas, and techniques.
Yes, Metasploit is one good tool for your (and everyones) kit-bag, but
it doesn't provide the reproducibility for a real good test. Even
though you can run the same exploit/payload/options over and over
again inside Metasploit, the target device may change state.
I would recommend taking a set of pcaps *you* create that *you want*
your IPS to block (Maybe using metasploit or other tool of choice).
You can then replay these over and over again to re-create the same
test environment. The same rule applies for clean traffic. Once you
have this clean/dirty baseline you can introduce tuning and even
different devices for coparisron.
This then leaves the qualitative testing of what device can be managed
best, used for event analysis best, produces the most meaningful
reports etc etc
Regards
-Leon
> http://www.sans.org/reading_room/
>
> http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html
>
> I know that there was a presentation that was done in 2006 about,
> ids and ips evasion. I am sure that there are ton's of others.
>
> Joshua Gimer
>
>
> On May 5, 2008, at 11:10 AM, Jamie Riden wrote:
>
>> Try to break into the network (make sure you have explicit permission
>> first!) and see if it stops you, or alerts. Have a play with nessus,
>> nmap and metasploit for example.
>>
>> I wouldn't actually go as far as attempting to infect the network
>> with
>> a virus- if it did work then you would have serious problems. You
>> could try it on a completely isolated test network.
>>
>> cheers,
>> Jamie
>>
>> On 05/05/2008, Paari <paarim@...> wrote:
>>>
>>> Hi guys,
>>>
>>> Can you please give me some reference or links on how to test
>>> IPS/IDS
>>> hardware box.
>>>
>>>
>>> Thanks,
>>> Paari
>>
>> --
>> Jamie Riden / jamesr@... / jamie@...
>> UK Honeynet Project: http://www.ukhoneynet.org/
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing itwith real-world attacks
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto
> learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Comments _inline
On 5 May 2008, at 20:28, Joshua Gimer wrote:
> There are several tools that you can use to aid in testing.
> I would use some automated scanning tools first such as Nessus; this
> will show you how much information can be gathered about a remote
> system.
If an IPS was to *block* all traffic that would allow remote device
enumeration, it would break the network. Sure, some specific
enumeration attempts can prevented but these would have to be looked
at on a case by case basis. As a rule, Nessus, and its closed source
VA alternatives are not normally useful for testing IPS.
> Metasploit can also be of use in this situation. I would suggest
> looking into the ips_filter.rb plugin.
> You can also check some conference archives, and SANS reading room
> for more ideas, and techniques.
Yes, Metasploit is one good tool for your (and everyones) kit-bag, but
it doesn't provide the reproducibility for a real good test. Even
though you can run the same exploit/payload/options over and over
again inside Metasploit, the target device may change state.
I would recommend taking a set of pcaps *you* create that *you want*
your IPS to block (Maybe using metasploit or other tool of choice).
You can then replay these over and over again to re-create the same
test environment. The same rule applies for clean traffic. Once you
have this clean/dirty baseline you can introduce tuning and even
different devices for coparisron.
This then leaves the qualitative testing of what device can be managed
best, used for event analysis best, produces the most meaningful
reports etc etc
Regards
-Leon
> http://www.sans.org/reading_room/
>
> http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html
>
> I know that there was a presentation that was done in 2006 about,
> ids and ips evasion. I am sure that there are ton's of others.
>
> Joshua Gimer
>
>
> On May 5, 2008, at 11:10 AM, Jamie Riden wrote:
>
>> Try to break into the network (make sure you have explicit permission
>> first!) and see if it stops you, or alerts. Have a play with nessus,
>> nmap and metasploit for example.
>>
>> I wouldn't actually go as far as attempting to infect the network
>> with
>> a virus- if it did work then you would have serious problems. You
>> could try it on a completely isolated test network.
>>
>> cheers,
>> Jamie
>>
>> On 05/05/2008, Paari <paarim@...> wrote:
>>>
>>> Hi guys,
>>>
>>> Can you please give me some reference or links on how to test
>>> IPS/IDS
>>> hardware box.
>>>
>>>
>>> Thanks,
>>> Paari
>>
>> --
>> Jamie Riden / jamesr@... / jamie@...
>> UK Honeynet Project: http://www.ukhoneynet.org/
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing itwith real-world attacks
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto
> learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
« Return to Thread: To test IPS/IDS box.
| Free embeddable forum powered by Nabble | Forum Help |
