|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Stephane Aubert (Stephane.Aubert
hsc.fr)Date: Wed May 16 2001 - 04:50:12 CDT
Hi
On Tue, May 15, 2001 at 03:24:23PM -0500, Patrick Mueller wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> A laudable goal: "Like nidsbench, IDSwakeup is being published in the
> hopes that a more precise testing methodology might be applied to network
> intrusion detection, which is *still* a black art at best."
>
> Basically, using hping, IDSwakeup crafts packets which mimick well-known
> attacks.
Mimick but not reproduce.
> Depending on what type of testing you're doing, using crafted packets may
> or may not be the direction you want to go. For example, your IDS may be
> more intelligent than one of the "attacks", in that the author (of
> IDSwakeup) may *think* that he is emulating an attack,
No !
IDSwakeup is *NOT* a scanner like Nessus that can really test
vulnerabilities.
IDSwakeup is the first false positive generator for IDS systems !
(you now have another soft called stick written with lex&yacc)
Example 'GET /cgi-bin/phf':
It don't send SYN - SYN|ACK - ACK and PSH|ACK in order to emulate a
real attack with a real connect. It just send a PSH|ACK datagram with
a short TTL.
This is not an effective attack against the web server! but you will
have an alert in your NIDS.
I first use it on IDnet at Monterey (www.sans.org) and I was able to
generate more than 82000 alerts on RealSecure (just an example).
The repport was so big that I could not saw it, the generating
process crashed.
> when in fact he is not.
sure ? :)
> A precisely written sig therefore would (correctly) not alert.
A perfect IDS will do this ;-)
When you read the docs you have some marketting information like :
We detect teardrop attacks.
When you really test the IDS you discover that it detects only the
version of teardrop published by route with the ID field at 242 :(
> Or, if
> your IDS is tracking TCP state, it *shouldn't* alert on these types of
Yes it shouldn't alert but in fact it will ... and sometime more than 82000
times ;-)
I was surprised to see that ever NFR generates false alerts under
IDSwakeup (Cisco NR was less surprising ;-).
> "attacks" since they don't make any actual connections (AFAIK) -- although
> that-- anyone whose used this, please chime in.
Right no connections that's one of the goals of IDSwakeup (FALSE positives :)
> My unstated assumption is that setting up vulnerable boxes and running
> actual attacks is the most accurate way to test IDS signature response.
> Comments?
Just one: don't trust the marketing guy, test your IDS on a network !
> Here's the URL:
> http://www.hsc.fr/ressources/outils/idswakeup/index.html.en
>
> And a nice "screenshot":
> http://www.hsc.fr/ressources/outils/idswakeup/index.html.en#copieecran
Thanx ;) You also have this one http://www.hsc.fr/tips/
Regards,
Stef
> -- Patrick
>
> - -------------------------------------------------------------------------
> Patrick Mueller === Security Analyst === <pmuellerneohapsis.com>
> ----- Neohapsis <www.neohapsis.com> -----
-- Stephane AUBERT Stephane.Aubert
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]