I should point out that that is exactly what we have to do. We run the same Metasploit exploit multiple times if it offers options (auto-version, XP-only, W2K-only, etc) and then we run it against multiple targets, and so on and so forth to go through all the possible permutations. We will then find other exploit tools or live variations of the same exploit and do the same with them (to make sure the IPS cannot ONLY detect the Metasploit version).
Where possible, we will also modify live exploits to change the traffic on the wire whilst accomplishing the same end (i.e. A simplistic example: if the live exploit loads a buffer with all "A"s we will change that to randomise the buffer content to make sure that the IPS vendor is looking for a buffer overflow and not just looking for a bunch of "A"s). Where we cannot modify the exploit, we can often modify the PCAP For each test case in our test suite we might have 20, 30, 40 actual replays to cover a wide range of permutations (though no one would be stupid enough to claim they cover ALL possible permutations, even running only live exploits). And yes, we STILL run live exploits too.... horses for courses.... Bob Walder On 25/2/06 03:13, "Aaron Turner" <[EMAIL PROTECTED]> wrote: > > Well in both cases, you're only testing a particular instance of the > exploit. If you want to try 500 different instances of a particular > exploit you have to run metasploit 500 times. But when you test the > another IDS/IPS there is no guarantee that the next 500 times you try > it will look exactly like the first 500 times. Using > tcpdump/tcpreplay you could capture those 500 tests and replay them > any number of times, thereby making sure that all devices see the same > thing which provides true comparative analysis. > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
