Re: Re: Triggering IDS

From: Albert Gonzalez (incodeblood@gmail.com)
Date: Thu Mar 16 2006 - 16:05:33 EST


Hello,

On 3/16/06, Meidinger Chris <chris.meidinger@badenit.de> wrote:
> I agree that everyone's needs are different. However, any IDS should trigger on a x-mas or SYN/FIN packet - even a single one without a full-blown portscan.
>
> If you just want to see that your IDS is operational that's a good way to do it. If it doesn't ring the alarm either it's not working or you need a different IDS.

Just because it didn't alert when you scanned, doesn't mean you will
need a new IDS. Misconfiguration of such devices is quite common
place. You have so many different things that can go wrong when
deploying an IDS that I expect it not to work once I have finished
configuring it (just to be safe). One thing I have seen often is
having an IDS deployed, it is seeing alerts, but folks aren't checking
to see whether the device can see the entire stream(flow) of the data.
So although they have alerts, they are still missing a significant
amount of traffic due to the misconfiguration.

But yes, generally when a device is deployed and you point nikto /
nessus / nmap at it, you should see it triggering on various
signatures. I know for sure that a full blown nessus scan against
snort will make it light up like a xmas tree.

HTH,

- Albert

>
> Cheers,
>
> Chris

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:42 EDT