Protocols for Testing Intrusion Detection?
Darden, Patrick S.
darden at armc.org
Tue May 15 11:27:38 UTC 2012
nmap has some modes that are useful for this:
nmap -sX network #christmas treepackets are sent, nastygram, kamikaze, should light up any IPS
nmap -sS network #stealth syn scan, should light up any good IPS
nmap -O network #OS scan, should light up any sensitive IPS
nmap -o network #udp scan, should light up any very sensitive IPS
nmap network #ping + easy check for open ports from 1--1023, should only light up an overly sensitive IPS
Lots more modes, and lots more scales of sensitivity. All of these are subjective. DMZs, VMZs, inner networks, and private networks would all have different scales of sensitivity. E.g. in my private network if I detected an "nmap network" then I would investigate. In my DMZ I probably wouldn't take notice of such a general scan.
Does that help?
From: Bill Stewart [mailto:nonobvious at gmail.com]
Sent: Monday, May 14, 2012 7:53 PM
To: NANOG list
Subject: Protocols for Testing Intrusion Detection?
I'm looking for recommended protocols to use for testing intrusion
detection and maybe also firewall logging.
Basically I need some kind of protocol that it's ok to discard traffic
for in a production network, so I can be sure that the various systems
that should be detecting it and generating alarms are up and running.
Is there already a standard I should be using? (This doesn't seem to
quite match RFC2544.) I'm thinking about things like
- TCP and UDP echo protocol - is this sufficiently deprecated that it
won't be missed, or are there applications still using it?
- Higher-numbered TCP protocol, such as 31337, which appears to have
no official current use, and unofficially is for Back Orifice.
- http:80 from a well-known test address, such as evil.example.com
(probably need both RFC1918 and public IP addresses, so it's somewhat
site-dependent. Should I be using 192.0.2.0/24 or 198.18.0.0/15 as
long as I'm careful not to leak them out to the real internet?)
- Is there any application that can actually set the RFC3514 Evil Bit?
Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.
More information about the NANOG