Re: Testing IDS with tcpreplay

Tue, 14 Feb 2006 14:28:52 -0800

Rather than replaying, you'll get a much better view of how well the IDS works if you use real attacks with real obfuscation techniques. Metasploit is a great tool for this (www.metasploit.org).
Setting up Metasploit doesn't have to be hard. There are a bunch of tutorials on using a Whax (bootable Linux CD) ISO image to run from. Simply pop in the CD and boot. 


The one hitch is that you'll need to have real victims to attack.  
Setting up a few target systems as VMWare images makes testing simple.  
You can use the snapshot capability to return the victim to a 
pre-attack state.



The problem with pcaps is that you're working with exploits that have 
already been seen and are static.  If your goal is to determine IDS 
effectiveness, using real attacks is better.


- Eric


-----Original Message-----
From: Elias-Bachrach, Ari (HQ-WRH10) <[EMAIL PROTECTED]>
To: Focus-Ids Mailing List <[email protected]>
Sent: Mon, 13 Feb 2006 17:07:50 -0500
Subject: Testing IDS with tcpreplay


I'm trying to do some IDS testing, and after digging through the list 
archives,
the method that appeals the most to me (based in it being both free and 
very
useful for my current situation), is using tcpreplay with some pcap 
files to
replay various network attacks and see if the IDS picks them up. My 
problem is
this - I can't seem to locate a good source of pcap files online that I 
can
replay. I've tried the usual suspects (defcon, sourcefire, etc.), but I 
can't
seem to locate any. If anyone knows of any trace files of network 
attacks
(especially successful attacks) that can be replayed to test an IDS, 
I'd

certainly appreciate it.

thanks


Ari Elias-Bachrach
NASA OIG
[EMAIL PROTECTED]
(202) 358-4578

___________________________________________________
Try the New Netscape Mail Today!
Virtually Spam-Free | More Storage | Import Your Contact List
http://mail.netscape.com


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.

------------------------------------------------------------------------























					Reply via email to