Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Simulate attack or intrusion to cause a signature trigger

Is it possible to simulate an attck or an intrusion , which will trigger any particular signature id in an IDS model 4250. ( on a host which IDS is sensing ). This will enable us to actually check or see an intrusion on real time dashboard on IdS event viewer. Are there any scripts or utilities available which will cause triggering of IDS ignatures. ( with particular id ).

Thanks in advance

10 REPLIES
Cisco Employee

Re: Simulate attack or intrusion to cause a signature trigger

Why not simply enable signature IDs 2000 and 2004 (ICMP echo and echo request, respectively) and send an ICMP ping to a host on a segment being monitored by the IDS sensor? This is a quick and easy way to ensure that you sensor is setup properly and you can view the event to prove that the 'attack' was detected. Afterwards, you can change the signatures to whatever action you want.

New Member

Re: Simulate attack or intrusion to cause a signature trigger

"send an ICMP ping to a host on a segment being monitored by the IDS sensor"

if you send a ping to the interface these things also should be detected ?

in addition : can you issue a "packet display GigabitEthernet0/1"

New Member

Re: Simulate attack or intrusion to cause a signature trigger

hmmm fwiw

ping the interface isnt detected by the IPS

is this a feature or a flaw ?

Cisco Employee

Re: Simulate attack or intrusion to cause a signature trigger

Pinging the command and control interface of the IDS will not be detected as the c&c interface isn't the sniffing interface. Pinging a host on a network segment monitored by the IDS/IPS will fire 2000, 2004 as long as the signatures are enabled.

Gold

Re: Simulate attack or intrusion to cause a signature trigger

Try nmap security scanner

http://www.insecure.org/nmap/index.html

You can perform port scanning, ICMP flooding, SYN/ACK attack...

Hope that helps rate if it does

New Member

Re: Simulate attack or intrusion to cause a signature trigger

Have you checked out this site:

http://www.metasploit.com/

also have a look at

http://www.nessus.org/

New Member

Re: Simulate attack or intrusion to cause a signature trigger

In addition to the excellent suggestions already given:

A) netcat (you may have to search around for it). This tool lets you set up a listening socket on any port, or a connecting socket. You can pipe whatever you want through it, including strings to test signatures that look for them.

B) hping (right now only works on Unix due to Windows restrictions on raw sockets access, but a "fixed" version will be released within a few days). This is a great command line tool to generate any packet you desire, with full control over all headers and the ability to pipe a file through as content.

--Have fun

New Member

Re: Simulate attack or intrusion to cause a signature trigger

If you like hping, check out nemesis

http://www.packetfactory.net/projects/nemesis/

or better yet, scapy...

www.secdev.org/projects/scapy/

Gold

Re: Simulate attack or intrusion to cause a signature trigger

If you're using Windows, go check out Nemesis on http://packetstuff.com they have a windows port that runs directly from a flash drive. Nemesis will allow you to create any packet with any content you like.

New Member

Re: Simulate attack or intrusion to cause a signature trigger

Hi everybody:

There are good suggestions in this post, but I want to add one more comment.

What you are looking for is named a "proof of concept".

It is difficult to test every signature, because you need specials tools and often it is very difficult to find (if exist).

Nessus (mentioned early in this post) is an vulnerability assesment tool and have several kinds of attacks (I suggest you try with knoppix -std because it is already instaled, but you need minimum knowledge about linux).

Another suggestion for specifics vulnerability, visit http://www.securityfocus.com/bid.

If the vulnerability has a proof of concept, you can find it in this web for sure!.

Another problem is that exist the sign for prevent this thread :-P

Hope this help.

Alberto Giorgi from spain (new kid in this block)

1476
Views
0
Helpful
10
Replies
CreatePlease to create content