cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
4
Replies

IDS Testing

wongks
Level 1
Level 1

Hi,

I have currently deployed a IDS 4230 with CSPM2.3i. The IDS is monitoring

one port of a switch & the other is connected to a management VLAN.

I have done all the configuration needed for the IDS and CSPM. I am now on

the testing stage to finalised and close the project.

By using Retina(a port scanning software) to test the IDS, I try to use the

event viewer(Tools->View Sensor Events->database), but I could not see any

intrusion events by this port scanning host.

I have different DMZ on my networks. Network A(10.1.1.0/24) is where my port

scanning host is. Network B(10.1.2.0/24) is my CSPM. and network

C(10.1.3.0/24) is configured as the monitored network at the

IDS(Sensor->Properties panel->Internal Network)

If there any settings that I miss out?

Pls advice. If possible, I would be helpful if you can send me a guide on

how to test the IDS to ensure that it is working.

Thank you.

4 Replies 4

anthall
Level 1
Level 1

There is several things that could be wrong.

First I would check to make sure the sensor is seeing the traffic you are sending it. The easiest way is to use snoop on the sensor:

(as root) snoop -d spwr0

Run your tool and see if you see the traffic you are sending.

If you are seeing the traffic check the sensor's logs to see if the alarms are firing:

cat /usr/nr/var/log.*

check for you alarms in that output.

If you see the alarms then you know the problem is in the CSPM/Sensor communication. If you don't see alarms and you know that the sensor is seeing the traffic, then to problem lies with the tool. I'm not familiar with how Retina works so I'd start with something a little more simple.

Issue an HTTP request (you can use you browser) with a /phf? at the end of it. This should trigger an alarm. Use snoop to verify the sensor saw the traffic

Let me know how this goes.

Hi,

Thanks for your prompt reply.

I am able to see traffic by using the snoop command.

I am also able to see the logs... by the way, what do mean by alarm?

I tried the phf?.... and it really trigger a log in the event viewer.

If we initiate the attack from the protected network of the IDS, will it be detected by the IDS?

Lastly, is it ok if you recommend some test or the software that we can use to test the IDS. We need do a User acceptance Test for the IDS.

For your assistance. Thank you.

Regards.

Nessus works great to light up an IDS. It's fairly easy to install, free, and is a great tool to have in your inventory.

http://www.nessus.org

Nessus is a good tool, but there are some drawbacks when testing an IDS. Cisco IDS, for example, has signatures written in such a way that some test cases won't fire unless they are actually exploits. Nessus' test cases aren't always expoits due to Denial of Service conditions that they could cause.

I'm not trying to bad-mouthing Nessus in any way, I'm only trying to highlight a reason why Cisco IDS might not fire on all of Nessus' test cases.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: