my experience in worm simulations with live traffic have roughly found the
following:
- you want to simulate probe traffic and network effects (ie TCP
RSTs, ICMP unreachables, congestion in some cases)
- you want to detect a successful exploit
- you want to catch payload transfer
- you want to catch any secondary actions of the new victim
setting two boxes up on the same LAN with one infected and one not will
not get you anything but the probe traffic, no network effects. even if
one box is just nmapping and nessusing it's not going to work out so well.
design your lab with the above in mind. check wormblog for some papers on
worm "laboratories" and such.
________
jose nazario, ph.d. http://monkey.org/~jose/
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
