Security Group | 1 Dec 14:43 2008
Picon

Re: Host Based IDS

Hi,

First of all many thanks for your replies and excuse me for my late response.

Your requests for clarification are justified. I will describe the situation:

We have Windows servers (60+) with custom server applications (self
developed software) which are in the DMZ.

There is already a network based IDS present based on S-flow packets.

But since the DMZ is the first base on the way-in by any hacker we
want intrusion detection on the machines in the DMZ.

We now have a very simple IDS in place which monitors process starts.
This HIDS will report an alert if an abnormal process start will occur
 (i.e. a reverse shell will start cmd.exe in an abnormal fashion).
This is only one simple abnormality check on a host. We are wondering
if there are other host based IDS which check for abnormal process
start and much more (file integrity, event log, etc) .

Which HIDS will provide abnormality checking (process starts, event
log, file integrity, etc) on a host the best:
OSSEC
Open Source Tripwire
SAMHAIN
OSIRIS
AIDE
Third Brigade Deep Security
Symantec Critical System Protection
(Continue reading)

Stefano Zanero | 1 Dec 20:41 2008
Picon

Re: Host Based IDS

Security Group wrote:
> Btw are their HIDS that can detect all-in-memory exploits (without the
> need of starting a process via the kernel)?

Not in the commercial world, but for sure in research:
http://portal.acm.org/citation.cfm?id=1368514

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Picon

IDS testing. Libs for packet capture.

All,

I have been working in IDS testing. Now I'm focused on testing network
modules, like Snort, netstat, ect. I search for a tools to play
traffic from tcpdumps. Is anyone in the group working on something
like that? The idea is to develop some libpcap-like lib for playing
tcpdumps. The question is: had it been already done? Are there any
other common libs for packet captureing used in common IDSs?

---
Saiko Alexander

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

isb_boy3 | 3 Dec 07:13 2008
Picon

Worm generating network attack traffic?


Hi 
Does anyone know any tools which can be used to generate network attack
traffic ? It is for the purpose of testing IDSs OR for collecting offline
intrusion detection dataset like 1999 DARPA dataset. I have windows xp
installed so i need a tool or worm tool to generate network traffic so that
i can collect by wireshark.
waiting ur reply.
Thanks>
--

-- 
View this message in context: http://www.nabble.com/Worm-generating-network-attack-traffic--tp20807423p20807423.html
Sent from the IDS (Intrusion Detection System) mailing list archive at Nabble.com.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Andrew Hay | 3 Dec 21:20 2008

RE: IDS testing. Libs for packet capture.

Try Tcpreplay - http://tcpreplay.synfin.net/trac/


Andrew Hay, RHCE, GSEC, GCIA, GCIH, CISSP
Security Analyst CAPITAL G Limited
25 Reid Street
P.O. Box HM 1194
Hamilton HM EX
Bermuda
+1.441.294.2468 Direct
+1.441.296.6853 Fax
+1.441.300.0063 Cell
ahay <at> capitalg.bm
www.capital-g.com



-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On Behalf Of ????????? ?????
Sent: Tuesday, December 02, 2008 7:18 PM
To: focus-ids <at> securityfocus.com
Subject: IDS testing. Libs for packet capture.

All,

I have been working in IDS testing. Now I'm focused on testing network
modules, like Snort, netstat, ect. I search for a tools to play
traffic from tcpdumps. Is anyone in the group working on something
like that? The idea is to develop some libpcap-like lib for playing
tcpdumps. The question is: had it been already done? Are there any
other common libs for packet captureing used in common IDSs?

(Continue reading)

Tim Grossner | 3 Dec 21:44 2008
Picon

Re: Worm generating network attack traffic?

Metasploit would be your best bet.

Tim

On Dec 3, 2008, at 12:13 AM, isb_boy3 wrote:

>
> Hi
> Does anyone know any tools which can be used to generate network  
> attack
> traffic ? It is for the purpose of testing IDSs OR for collecting  
> offline
> intrusion detection dataset like 1999 DARPA dataset. I have windows xp
> installed so i need a tool or worm tool to generate network traffic  
> so that
> i can collect by wireshark.
> waiting ur reply.
> Thanks>
> -- 
> View this message in context: http://www.nabble.com/Worm-generating-network-attack-traffic--tp20807423p20807423.html
> Sent from the IDS (Intrusion Detection System) mailing list archive  
> at Nabble.com.
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
(Continue reading)

Stefano Zanero | 3 Dec 21:54 2008
Picon

Re: IDS testing. Libs for packet capture.

Александр Сайко wrote:

> modules, like Snort, netstat, ect. I search for a tools to play
> traffic from tcpdumps.

tcpreplay ?

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Skyler.Bingham | 3 Dec 21:39 2008

Re: IDS testing. Libs for packet capture.

Have you looked at tcpreplay?  It allows you to playback libpcap packet
capture files in real-time (among other things).

http://tcpreplay.synfin.net/trac/


Skyler Bingham
GIAC {GSEC, GCIH, GCIA, GCFA}, CEH
(602) 957-1650 x1139


                                                                           
             "Александр Сайко"                                             
             <saiko.a.s <at> gmail.                                             
             com>                                                       To 
             Sent by:                  focus-ids <at> securityfocus.com         
             listbounce <at> securi                                          cc 
             tyfocus.com                                                   
                                                                   Subject 
                                       IDS testing. Libs for packet        
             12/02/2008 04:18          capture.                            
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




(Continue reading)

Skyler.Bingham | 3 Dec 22:06 2008

Re: Worm generating network attack traffic?

Nessus is useful for this as it has thousands of checks that will generate
a ton of attack traffic.  The attacks are categorized by type, so you can
limit the generated traffic to specific types of attacks (Windows, FTP,
DoS, etc.).  Metasploit can be used for very targeted attacks (specific
exploits) which can be tweaked with different evasion options which is
useful for testing IDSes.  Both of these tools can be run from Windows.

http://www.nessus.org/nessus/
http://metasploit.org/

Skyler Bingham
GIAC {GSEC, GCIH, GCIA, GCFA}, CEH
(602) 957-1650 x1139

listbounce <at> securityfocus.com wrote on 12/02/2008 11:13:11 PM:

>
> Hi
> Does anyone know any tools which can be used to generate network attack
> traffic ? It is for the purpose of testing IDSs OR for collecting offline
> intrusion detection dataset like 1999 DARPA dataset. I have windows xp
> installed so i need a tool or worm tool to generate network traffic so
that
> i can collect by wireshark.
> waiting ur reply.
> Thanks>

------------------------------------------------------------------------
Test Your IDS

(Continue reading)

Koconis, David | 4 Dec 16:36 2008

RE: IDS testing. Libs for packet capture.


Saiko,

I suggest you look into tomahawk (http://tomahawk.sourceforge.net/).  It was developed specifically
for testing IPS devices.  It does not have quite as many options as tcpreplay now offers, but the essential
functions required for IPS testing are provided.  There are also sample pcaps of old exploits at the
SourceForge project page:

http://sourceforge.net/project/showfiles.php?group_id=121410&package_id=132474
(Select the pcaps.tgz file under Extras)

Be aware that the online documentation and tutorial both refer to v1.0 of the code and are woefully out of
date.  I highly recommend v1.1.  The changes/fixes from 1.0->1.1 are discussed in the Release Notes for
v1.1 (http://tomahawk.sourceforge.net/CHANGES.txt)

David

Full Disclosure:
My opinion is somewhat biased because I rewrote the v1.0 code and submitted all the v1.1 changes.

-----Original Message-----
From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com] On Behalf Of ????????? ?????
Sent: Tuesday, December 02, 2008 6:18 PM
To: focus-ids <at> securityfocus.com
Subject: IDS testing. Libs for packet capture.

All,

I have been working in IDS testing. Now I'm focused on testing network
modules, like Snort, netstat, ect. I search for a tools to play
(Continue reading)


Gmane