Testing of IDS

cocolema · ‎03-19-2002

We have just installed a 4210 with CSPM behind a PIX 515. How do determine if the IDS is actually working? I mean if how do you know without becoming a target for hackers? Are there any procedures or tools that will allow you to test the IDS from the outside?

Thanks,

Cosby

marcabal · ‎03-19-2002

Is your 4210 watching a DMZ with a Web Server?

If so then from outside your network make a connection to the web server and request a page name SensorTest.

Of course, your web server will not have this page, so it will give you an error which is fine.

Now create a custom signature that looks for SensorTest as part of a URL request.

The next time you request the nonexistent page SensorTest it should generate an alarm, and you'll know your sensor is up and running.

FOr more information on creating a custom signature refer to the following links:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/12216_02.htm#xtocid1115824

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/csids6/13346_01.htm

If you don't have a web server, then the same can still be done for almost any other tcp service you are letting through your firewall.

If you want to validate specific signatures, then you would need to pick a signature and read up on it. The try executing the attack through your firewall. If the firewall blocks the attack then the sensor will likely not alarm. You'll have to find one that your firewall is letting through, and then the sensor shoudl alarm.

cocolema · ‎03-19-2002

Just to be sure I don't misunderstand you, are you saying that the IDS's promiscous interface should be connected behind the firewall's DMZ? Currently, we have that interface placed in front of our firewall in the DMZ between the firewall and our outside router. Monitoring and blocking is taking place on the outside router.

I have to say that the documentation for this product reaches a new high in lows. I'm scared to death that the bad guys are running rampant through our network and the IDS is unaware.

Thanks,

Cosby

marcabal · ‎03-19-2002

Placing of the monitoring interface can be either inside your firewall or outside your firewall.

If inside your firewall you will only be monitoring packets that the firewall is allowing through.

If outside your firewall you will be monitoring the packets that the firewall is allowing through as well as the packets that the Firewall is blokcing.

In many cases users are inundated with alarms when the sensor is monitoring outside the Firewall. Many users are constantly beiong scanned and attacked, and the IDS is constantly firing off alarms. By placing it inside their Firewall they find out that the Firewall is doing it's job and blocking most of it, so then they only concentrate on the alarms for traffic that is actually being passed through the Firewall.

SO placement of the monitoring interface is really up to the user. In some cases users have one sensor on the inside that they use on a daily basis, then have a second on the outside, When they notice an attack on the inside then they check the outside to find out what else the attacker may have been doing that the Firewall was able to block.

The command and control interface of the sensor, on the other hand, should always be behind the Firewall. You should configure your Firewall to let the internal sensor ip address connect to the outside router for changing of the router's configuration.

dbobeldyk · ‎03-19-2002

The documenation for CSPM is rather poor... I hope some people from Cisco are working on this.

-Denny

oz · ‎03-20-2002

you are not kidding..

Documentation was strength with Cisco and with the IDS stuff as it's changing so fast as well..

Kinda sad that you get snort up and running in pretty much a few clicks LOL

oz