IDS Assessments....and the I{D|P}S evasion research project

From: Joseph McCray (joe@learnsecurityonline.com)
Date: Wed Nov 15 2006 - 16:22:19 EST


I just doing an IDS assessment where the goal is to fine tune the IDS
(reduce false positives/false negatives blah blah blah). It's been a lot
of fun, but now I'm curious about how I can get signature verification
information more efficiency.

Have any of you ever taken the time to develop a list signatures and
their corresponding tools and/or exploits that actually trigger every
individual signature the IDS has?

I know that if someone has attempted this it was VERY IDS specific -
like they may have been doing Sourcefire, or Real Secure signatures so
no I'm not asking for your documentation.

I'm really looking for input, tips, ideas of ways to automate a lot of
the testing. I'm looking for this especially for exploits - how did you
systematically handle things like:

        1. running a specific tool/exploit with varying parameters passed to it
        2. verifying that the system was actually exploited
        3. verifying that the IDS alert actually triggered
        4. verifying that the service is still running after the attempted
exploit (restart the service/reboot the box if needed)
        5. correlating 1, 2 and 3 above

I'm thinking a ton of scripting is going to be the secret here. Any
ideas and feedback would be greatly appreciated.

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:19 EDT