Another way of testing your sensors is to generate a known set of "suspicious" traffic, you can do this with your favourite "attack tools" depending on what areas of the IDS functionality you are looking to test.
Inject this into your network against your standard background traffic. Capture the whole lot, ie background traffic and suspicious events using tcpdump. You can then use tcpreplay to replay the traffic at various speeds to test the ability of the IDS to perform against various network loads. If you want to you can of course generate harmless background traffic to make the IDS's life harder and if you really want to give it a hard time, run everything through fragroute as well. Regards Sarah -----Original Message----- From: Robert Graham To: bojidar_tzendov; [EMAIL PROTECTED] Sent: 15/06/03 18:37 Subject: Re: [ISSForum] How to test Sensors? In RealSecure 7, take a look at the "SensorStatistics" event that appeared in XPU 20.13. This event is triggered every 15 minutes, and contains a count of the number of packets seen. Look at the "event details" for SensorStatistics in order to see this counts. It also shows what happening in the TCP state tracking tables. For example, if you are getting large counts for the "tcp.misseddata_acks" or "tcp.onesided", then there is likely a problem in the way you've tapped into traffic. And, of course, if you aren't seeing many "ip.packets", then you likewise haven't tapped correctly into traffic. (Note that if you aren't seeing any SensorStatistics, then you aren't seeing any packets at all). Once you've made sure that this is corrent, then go to a web-browser and type in a hostile URL. The traditional one is "http://victim/cgi-bin/phf";. Make sure that the packets in question are actually supposed to be going across the wire in question. We spend a lot of time with customers who do their test wrong. For example, a customer might type a hostile URL, then realize the IDS wasn't plugged in, and then the second time, they don't realize the web-browser has cached the first request. --- bojidar_tzendov <[EMAIL PROTECTED]> wrote: > Dear All, > > How to test sensors if I have a pilot installation? > > Is there any procedure and tools? > > Can anyone send me docs and tools or at least urls? > > Thanks in advance > bojidar > > Bojidar Tzendov > Area Sales Manager > Test Solutions > mobile: +359 88 605 365 > phone: +359 2 969 60 60 > fax: +359 2 969 60 69 > > __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
