Hey Stefano, On 2/25/06, Stefano Zanero <[EMAIL PROTECTED]> wrote: > Aaron Turner wrote:
[snip most of this since I've already covered test labs and the effort to setup and maintain them] > > Say you have two IPS's you want to test. You an send an "attack" with > > Metasploit against the first one and it detects it. You run it again > > against the second one and it doesn't. > > Consider this. > > You send a tcp replayed stream against the first one, and then agains > the second one. The first one catches an attack, the second one doesn't. > > Does this mean the first one is better ? No, it does not mean absolutely > anything. In a vacuum, of course not. But we're talking about a series of test cases here. > The core of the problem is in WHAT YOU CALL TESTING, not in what you use > to throw packets at your IDS probe... I'm not going to try to tell you or anyone what is the right methodology to test IDS/IPS's. Everyone seems to have their own opinions on the mattter and the correct answer seems to depend on their goals, resources (both financially and time) and background. Hopefully through this thread people have gotten a clearer picture of how tools like Metasploit and tcpreplay can be used (or shouldn't be) in their tests. Regards, Aaron -- Aaron Turner http://synfin.net/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
