Hi.
Comments _inline
On 5 May 2008, at 20:28, Joshua Gimer wrote:
There are several tools that you can use to aid in testing.
I would use some automated scanning tools first such as Nessus; this
will show you how much information can be gathered about a remote
system.
If an IPS was to *block* all traffic that would allow remote device
enumeration, it would break the network. Sure, some specific
enumeration attempts can prevented but these would have to be looked
at on a case by case basis. As a rule, Nessus, and its closed source
VA alternatives are not normally useful for testing IPS.
Metasploit can also be of use in this situation. I would suggest
looking into the ips_filter.rb plugin.
You can also check some conference archives, and SANS reading room
for more ideas, and techniques.
Yes, Metasploit is one good tool for your (and everyones) kit-bag, but
it doesn't provide the reproducibility for a real good test. Even
though you can run the same exploit/payload/options over and over
again inside Metasploit, the target device may change state.
I would recommend taking a set of pcaps *you* create that *you want*
your IPS to block (Maybe using metasploit or other tool of choice).
You can then replay these over and over again to re-create the same
test environment. The same rule applies for clean traffic. Once you
have this clean/dirty baseline you can introduce tuning and even
different devices for coparisron.
This then leaves the qualitative testing of what device can be managed
best, used for event analysis best, produces the most meaningful
reports etc etc
Regards
-Leon
http://www.sans.org/reading_room/
http://www.blackhat.com/html/bh-media-archives/bh-multimedia-archives-index.html
I know that there was a presentation that was done in 2006 about,
ids and ips evasion. I am sure that there are ton's of others.
Joshua Gimer
On May 5, 2008, at 11:10 AM, Jamie Riden wrote:
Try to break into the network (make sure you have explicit permission
first!) and see if it stops you, or alerts. Have a play with nessus,
nmap and metasploit for example.
I wouldn't actually go as far as attempting to infect the network
with
a virus- if it did work then you would have serious problems. You
could try it on a completely isolated test network.
cheers,
Jamie
On 05/05/2008, Paari <[EMAIL PROTECTED]> wrote:
Hi guys,
Can you please give me some reference or links on how to test
IPS/IDS
hardware box.
Thanks,
Paari
--
Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED]
UK Honeynet Project: http://www.ukhoneynet.org/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing itwith real-world attacks
from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto
learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
