Protocols for Testing Intrusion Detection?
Bill Stewart
nonobvious at gmail.com
Mon May 14 23:52:36 UTC 2012
I'm looking for recommended protocols to use for testing intrusion
detection and maybe also firewall logging.
Basically I need some kind of protocol that it's ok to discard traffic
for in a production network, so I can be sure that the various systems
that should be detecting it and generating alarms are up and running.
Is there already a standard I should be using? (This doesn't seem to
quite match RFC2544.) I'm thinking about things like
- TCP and UDP echo protocol - is this sufficiently deprecated that it
won't be missed, or are there applications still using it?
- Higher-numbered TCP protocol, such as 31337, which appears to have
no official current use, and unofficially is for Back Orifice.
- http:80 from a well-known test address, such as evil.example.com
(probably need both RFC1918 and public IP addresses, so it's somewhat
site-dependent. Should I be using 192.0.2.0/24 or 198.18.0.0/15 as
long as I'm careful not to leak them out to the real internet?)
- Is there any application that can actually set the RFC3514 Evil Bit?
--
----
Thanks; Bill
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
More information about the NANOG
mailing list