Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
970
Views
0
Helpful
8
Replies

Attack Simulation

teperjesi
Level 1
Level 1

‎11-28-2001 06:02 AM - edited ‎03-08-2019 09:17 PM

I want to set up a Demo to my customers. How could I simulate the attacks? I've been used the String Match Signatures before, but I want to see built-in signatures!

Thanks!

Labels:
0 Helpful
8 Replies 8

jerryd
Level 1
Level 1

‎11-28-2001 06:40 AM

You can use a vunerability scanner like nessus or cisco's vunerabilty scanner, this will definitely trigger the built in signature

0 Helpful

mlhall
Cisco Employee
Cisco Employee

‎11-28-2001 08:06 AM

As someone has already sugested, using a scanner is a good idea.

Be careful about testing IDS's with IDS testing "tools." Some of these tools do not actually exploit a security problem, they just attempt to look like a tool that does. Some of the signatures may not fire for different IDSes with different testing tools. The best way to test is to actually exploit a target system.

0 Helpful

teperjesi
Level 1
Level 1
In response to mlhall

‎11-29-2001 02:37 AM

I use the Cisco Secure Scanner to test my IDS! And I see only slim numbers of attack types!!Altought my scanner try/find a lot of vulnerabilities The sensor see only tcp and udp port sweeps, inproper ftp address, but nothing else!!!???

How it is, that I set the Sensor to fire when a user failed 3 times to login into a FTP Server (Sig6250), and it doesn't do that??? I set the signature to High Level and the packetd.conf int the Sensor is ok!

My system contains:cspm233i sig10 and ids4210 sp2 sig10

Any advice?

0 Helpful

mcerha
Level 3
Level 3
In response to teperjesi

‎11-29-2001 03:21 PM

Cisco Secure Scanner performs a lot of its vulnerability checks usng inference. For instance, it will look for a Sendmail version on the banner information returned from TCP port 25. If it finds a version containing a known vulnerability, it will report the problem without actually trying the real Sendmail exploit. This can explain some of vulnerabilities reported by CSS and not by CSIDS. Also, make sure that the active exploit are enabled during the scan. Otherwise, CSS won't try any of it's more probing exploits. In regards to signature 6250 not firing, this could be a potential problem if the FTP login attempts occurred in different sessions. Signature 6250 currently assumes that all the login events occurred in the same TCP session. We are working on an event aggregation system to help correlate multiple alarms in a future release.

0 Helpful

teperjesi
Level 1
Level 1
In response to mcerha

‎11-30-2001 12:20 AM

Thanks for the answers! I'm sure now, that my Sensor is ok!

0 Helpful

mvine
Level 1
Level 1
In response to mcerha

‎01-14-2002 03:05 PM

Have you guys seen the product I just mentioned IDS Informer? www.blade-software.com?

0 Helpful

mvine
Level 1
Level 1

‎01-14-2002 02:59 PM

Hi, I heard about IDS Informer that does this, www.blade-software.com, there is nothing else out there really, I looked at the end of the year.

M

0 Helpful

brok3n
Level 1
Level 1

‎01-17-2002 02:15 PM

Download "stick" from http://www.packetstormsecurity.com (search for it)

It's apparent intention is as a resource starvation and DoS tool for IDS's but if you pare back the rulebase and work with it, it can be a useful tool

I agree however, that if you want to see the sensor work, just download some common exploits and run them against a demo box.

0 Helpful
Customers Also Viewed These Support Documents