[NCSA-discuss] packet captures

Iztok Umek iztok at si-con.com
Tue Feb 27 09:44:41 EST 2007 

NMap/Nessus doesn't make sense for testing IPS.

Only thing that would do is to test how good IPS are to detect scanning.

Other then that tools like Nessus don't actually exploit (try to 
exploit) but they make educated guess on the vulnerability. Which is 
quite different. I would be worried of any IPS that would be 
blocking/alerting on a lot of Nessus tests as it will do two things:

1. Generate a lot of false positives and prevent legitimate traffic.

2. Show a lot of good IPS solutions not being adequate.

Hence I am looking for actual packet captures to be replayed to test IPS.

Sincerely,
    Iztok

Jeff The Riffer wrote:
> On Tue, February 27, 2007 8:39 am, Iztok Umek wrote:
>   
>> I am not asking about the results :) I am looking for packet captures
>> used to test :)
>>     
>
> Ah! Sorry, I mis-understood. I can't talk about the products we tested or the
> results, but I can talk about some of the methodology.
>
> We used several tools to generate abberant behavior, rather than packet
> replays. One was Core Impact, which actually exploits known holes and installs
> agents. It can do TCP evasion techniques to a limited extant.
>
> For abberant behavior, we found a nifty little open-source tool called isic,
> which lets you generate all sorts of abnormal traffic:
>
> http://www.mirrors.wiretapped.net/security/packet-construction/isic/
>
> It has binaries to generate abnormal ethernet, UDP, TCP, IP, and ICMP traffic.
> You can control percentages of the different abnormalities as well as volume
> of traffic. It's VERY noisy and aggressive stuff, but great for seeing if you
> can brign down a system.
> You can also use to to generate a packet storm while trying to sneak in
> through a more mundane attack amd trick your IDS/IPS route.
>
> We had problems getting it compiled, but someone was able to find a Debian
> package for it. The Debian package was converted to RPM using Alien and the
> RPM worked great under SuSe 10.0.
>
> Other than that we just used NMap and Nessus to generate varying levels of
> traffic and alerts. Isic was very useful for us...
>
>  ####################==============---- ----==============####################
> #     riffer at vaxer.net - Jeff The Riffer - Drifter... - Homo Postmortemus     #
> # Disclaimer: I am not a number, I am a free man, and my thoughts are my own. #
> # GCS$ d-- H++ s:++ !g p+ au0 a31 w+ v?(*) C++ UA P? L 3 E---- N++ K- W-- M+ V#
> # po--- Y+ t+ 5+ !j R G' tv b+ D++ B--- e+ u--- h--- f+ r+++ n- y+++*         #
> _______________________________________________
> ncsa-discussion mailing list
> ncsa-discussion at ncsysadmin.org
> http://www.ncsysadmin.org/mailman/listinfo/ncsa-discussion
>
>

More information about the ncsa-discussion mailing list