IDS Testing Tools

203 views
Skip to first unread message

gee...@gmail.com

unread,
Dec 14, 2007, 7:29:23 PM12/14/07
to HeX liveCD
Greeting all,

I came across this short article that written by Richard regarding
"How to test Snort", I have discussed with few developers about
putting all the Intrusion Detection System testing tools that
mentioned in the article into HeX so you just bump in the liveCD, boot
up and ready to test your IDS that deployed in the network without
much brain storming.

Unfortunately all the tools there are not available in FreeBSD ports/
packages, therefore if we want to include it, we will have to port it.
Therefore I'm asking here if this suggestion may raise the interest of
people around.

Anyway this is the idea for HeX 2.0 that won't be coming so soon and
we have time for it.

Cheers ;]

Richard Bejtlich

unread,
Dec 21, 2007, 11:46:42 PM12/21/07
to HeX-l...@googlegroups.com

Hi geek00l and everyone,

In my article "How to test Snort"

http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1266313,00.html

I mention

Snot (not available)
Sneeze
Stick
Mucus
IDSWakeup

Similar tools not mentioned include:

Fpg (http://www.geschke-online.de/FLoP/fpg.8.html)
snortspoof.pl (http://trac.cipherdyne.org/trac/fwsnort/browser/fwsnort/branches/fwsnort-1.0.3/snortspoof.pl)

HOWEVER, I do NOT recommend using these tools in most cases. They are
all stateless (as explained in my article) and will fail due to
Stream4 or Stream5 keeping connection state.

Instead, I recommend in my article:

"The easiest way to ensure Snort is actually seeing any traffic is to
create a simple rule and see if Snort generates an alert. "

If you want to include a generic traffic generation application, that
is a good idea. I don't think it's necessary to include stateless
Snort "testing" tools though.

Sincerely,

Richard

CS Lee

unread,
Dec 24, 2007, 12:43:59 AM12/24/07
to HeX-l...@googlegroups.com
Hi Richard,

Yes, most of them are stateless, even aaron(tcpreplay) discards the stateful tool(flowreplay) from his tcpreplay suite as it is hard to be implemented. The reason to add IDS testing tool is just to serve quick testing purpose and nothing else.

Anyway talking about traffic generation tool, we have already have almost all of them - hping, nmap, scapy and almost all of them are in menu(check the Net-Tool), those are what I use to test the ids but the reason adding more specific tool is as I said "ease the newbie".

Thanks for the input!



HOWEVER, I do NOT recommend using these tools in most cases.  They are
all stateless (as explained in my article) and will fail due to
Stream4 or Stream5 keeping connection state.

Instead, I recommend in my article:

"The easiest way to ensure Snort is actually seeing any traffic is to
create a simple rule and see if Snort generates an alert. "

If you want to include a generic traffic generation application, that
is a good idea.  I don't think it's necessary to include stateless
Snort "testing" tools though.

Sincerely,

Richard






--
Best Regards,

CS Lee<geek00L[at]gmail.com>

http://geek00l.blogspot.com
Reply all
Reply to author
Forward
0 new messages