Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Attack Simulation

I want to set up a Demo to my customers. How could I simulate the attacks? I've been used the String Match Signatures before, but I want to see built-in signatures!

Thanks!

8 REPLIES
New Member

Re: Attack Simulation

You can use a vunerability scanner like nessus or cisco's vunerabilty scanner, this will definitely trigger the built in signature

New Member

Re: Attack Simulation

As someone has already sugested, using a scanner is a good idea.

Be careful about testing IDS's with IDS testing "tools." Some of these tools do not actually exploit a security problem, they just attempt to look like a tool that does. Some of the signatures may not fire for different IDSes with different testing tools. The best way to test is to actually exploit a target system.

New Member

Re: Attack Simulation

I use the Cisco Secure Scanner to test my IDS! And I see only slim numbers of attack types!!Altought my scanner try/find a lot of vulnerabilities The sensor see only tcp and udp port sweeps, inproper ftp address, but nothing else!!!???

How it is, that I set the Sensor to fire when a user failed 3 times to login into a FTP Server (Sig6250), and it doesn't do that??? I set the signature to High Level and the packetd.conf int the Sensor is ok!

My system contains:cspm233i sig10 and ids4210 sp2 sig10

Any advice?

Bronze

Re: Attack Simulation

Cisco Secure Scanner performs a lot of its vulnerability checks usng inference. For instance, it will look for a Sendmail version on the banner information returned from TCP port 25. If it finds a version containing a known vulnerability, it will report the problem without actually trying the real Sendmail exploit. This can explain some of vulnerabilities reported by CSS and not by CSIDS. Also, make sure that the active exploit are enabled during the scan. Otherwise, CSS won't try any of it's more probing exploits. In regards to signature 6250 not firing, this could be a potential problem if the FTP login attempts occurred in different sessions. Signature 6250 currently assumes that all the login events occurred in the same TCP session. We are working on an event aggregation system to help correlate multiple alarms in a future release.

New Member

Re: Attack Simulation

Thanks for the answers! I'm sure now, that my Sensor is ok!

New Member

Re: Attack Simulation

Have you guys seen the product I just mentioned IDS Informer? www.blade-software.com?

New Member

Re: Attack Simulation

Hi, I heard about IDS Informer that does this, www.blade-software.com, there is nothing else out there really, I looked at the end of the year.

M

New Member

Re: Attack Simulation

Download "stick" from http://www.packetstormsecurity.com (search for it)

It's apparent intention is as a resource starvation and DoS tool for IDS's but if you pare back the rulebase and work with it, it can be a useful tool

I agree however, that if you want to see the sensor work, just download some common exploits and run them against a demo box.

205
Views
0
Helpful
8
Replies
CreatePlease login to create content