'Re: Worm generating network attack traffic?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: Worm generating network attack traffic?
From:       Skyler.Bingham () londen-insurance ! com
Date:       2008-12-06 0:30:06
Message-ID: OFC32DF9A2.9745813E-ON07257516.007B78C4-07257517.0002CB6F () londen-insurance ! com
[Download RAW message or body]

You bring up a good point, but not all Nessus checks are
banner-grab-version-number-comparisons.  Many exploit the vulnerabilities
with benign payloads and check for a known-vulnerable response.  This
should be sufficient to generate an IDS alert.  If my IDS sees an exploit
going to a potentially vulnerable service, I would like to know about it.
I don't expect my IDS to be able to distinguish between a malicious and a
benign payload.

I made the assumption (and after rereading the original post, probably
incorrectly) that the OP was inquiring for personal research, in which
case, Nessus would be a free/easy way to check to verify his IDS was
working.  But you're right, I wouldn't recommend using Nessus for this
purpose if you had to pay for it or if you were doing serious analysis.  I
agree your IDS should not be alerting on banner grabs in most cases, but
that's not all Nessus does.

I also agree you are better off using penetration testing products like
Core Impact and Canvas for this purpose if you if you can afford them, but
they are probably a little too pricey to be purchased for the sole purpose
of generating attack traffic to test your IDS (especially for personal
research).  If you can't afford them (and even if you can), Metasploit is a
great free alternative.

Skyler Bingham
GIAC {GSEC, GCIH, GCIA, GCFA}, CEH
(602) 957-1650 x1139

listbounce@securityfocus.com wrote on 12/04/2008 04:11:15 PM:

>
> I think it is important to note that:
>
> (Traffic generated by vulnerability scanners) != (attack traffic)
>
> While vulnerability assessment (VA) scanners can/will generate alerts
> I would advise against using them if you want to do any kind of real
> analysis.  In fact, you probably don't want an IDS that is going to
> mistake something like a service probe / banner grab (which is what
> many VA checks actually are) with an actual attack.  Any IDS that does
> is going to be *highly* false positive prone...
>
> FWIW, I have found tools such as Core Impact, Metasploit, and Canvas
> to be far better options for testing IDS/IPS signature engines.


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic