[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] How to test Sensors?

 Another way of testing your sensors is to generate a known set of
"suspicious" traffic, you can do this with your favourite "attack tools"
depending on what areas of the IDS functionality you are looking to test. 

Inject this into your network against your standard background traffic.

Capture the whole lot, ie background traffic and suspicious events using

You can then use tcpreplay to replay the traffic at various speeds to test
the ability of the IDS to perform against various network loads. 

If you want to you can of course generate harmless background traffic to
make the IDS's life harder and if you really want to give it a hard time,
run everything through fragroute as well.

Regards Sarah

-----Original Message-----
From: Robert Graham
To: bojidar_tzendov; ISSForum@xxxxxxx
Sent: 15/06/03 18:37
Subject: Re: [ISSForum] How to test Sensors?

In RealSecure 7, take a look at the "SensorStatistics" event that
appeared in
XPU 20.13.

This event is triggered every 15 minutes, and contains a count of the
number of
packets seen. Look at the "event details" for SensorStatistics in order
to see
this counts.

It also shows what happening in the TCP state tracking tables. For
example, if
you are getting large counts for the "tcp.misseddata_acks" or
then there is likely a problem in the way you've tapped into traffic.
And, of
course, if you aren't seeing many "ip.packets", then you likewise
tapped correctly into traffic. (Note that if you aren't seeing any
SensorStatistics, then you aren't seeing any packets at all).

Once you've made sure that this is corrent, then go to a web-browser and
in a hostile URL. The traditional one is "http://victim/cgi-bin/phf";.
Make sure
that the packets in question are actually supposed to be going across
the wire
in question. We spend a lot of time with customers who do their test
wrong. For
example, a customer might type a hostile URL, then realize the IDS
plugged in, and then the second time, they don't realize the web-browser
cached the first request.

--- bojidar_tzendov <bojidar_tzendov@xxxxxxxx> wrote:
> Dear All,
> How to test sensors if I have a pilot installation?
> Is there any procedure and tools?
> Can anyone send me docs and tools or at least urls?
> Thanks in advance
> bojidar
> Bojidar Tzendov
> Area Sales Manager
> Test Solutions
> mobile: +359 88 605 365
> phone: +359 2 969 60 60
> fax: +359 2 969 60 69

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
ISSForum mailing list


This e-mail and any attachment is for authorised use by the intended recipient(s) only.  It may contain proprietary material, confidential information and/or be subject to legal privilege.  It should not be copied, disclosed to, retained or used by, any other party.  If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender.  Thank you.
ISSForum mailing list

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo