Testing IDS Signatures

koiflowerhorn · ‎07-03-2005

Hi all,

Is it possible to simulate/reproduce a handful (say 20) of intrusion/attack signatures in order to confirm that the IDS is indeed detecting them? Is there a freeware that's something like a "signature generator"?

Thanks.

a.arndt · ‎07-04-2005

You could do this using Nessus. It's a freeware vulnerability scanner that could be used to generate as few, or as many, known events on a wire and check to see if the expected IDS/IPS signature logs the event.

The unfortunate thing with Nessus, however, is that you'll have to target a live host...

If you want pure traffic generation that doesn't rely on a live host at the other end, checkout Blade Software's IDS Informer (http://www.bladesoftware.net/prod_ids.html) as a viable (though not freeware) option. I'm currently using it to test my sensors to great effect. The demo runs only a limited number of the total events available, but even this group is sufficient if you're looking for something quick.

The beauty of this tool is the fact that it spoofs all the traffic, so you can literally connect a laptop to the monitoring NIC using a cross-over cable and generate what looks like live network attacks. Definitely a bonus when you want to confirm the sensor is working without having to take it off the workbench and go plug it into some sort of network infrastructure to confirm operations.

I hope this helps,

Alex Arndt

manuscity · ‎07-06-2005

I've seen an app called Traffic IQ that does something similar for testing network security systems. They have got a basic version which has about 50 types of test and that comes in at $299 which is not bad. www.karalon.com

CT