Protocols for Testing Intrusion Detection?
I'm looking for recommended protocols to use for testing intrusion detection and maybe also firewall logging. Basically I need some kind of protocol that it's ok to discard traffic for in a production network, so I can be sure that the various systems that should be detecting it and generating alarms are up and running. Is there already a standard I should be using? (This doesn't seem to quite match RFC2544.) I'm thinking about things like - TCP and UDP echo protocol - is this sufficiently deprecated that it won't be missed, or are there applications still using it? - Higher-numbered TCP protocol, such as 31337, which appears to have no official current use, and unofficially is for Back Orifice. - http:80 from a well-known test address, such as evil.example.com (probably need both RFC1918 and public IP addresses, so it's somewhat site-dependent. Should I be using 192.0.2.0/24 or 198.18.0.0/15 as long as I'm careful not to leak them out to the real internet?) - Is there any application that can actually set the RFC3514 Evil Bit? -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
nmap has some modes that are useful for this: nmap -sX network #christmas treepackets are sent, nastygram, kamikaze, should light up any IPS nmap -sS network #stealth syn scan, should light up any good IPS nmap -O network #OS scan, should light up any sensitive IPS nmap -o network #udp scan, should light up any very sensitive IPS nmap network #ping + easy check for open ports from 1--1023, should only light up an overly sensitive IPS Lots more modes, and lots more scales of sensitivity. All of these are subjective. DMZs, VMZs, inner networks, and private networks would all have different scales of sensitivity. E.g. in my private network if I detected an "nmap network" then I would investigate. In my DMZ I probably wouldn't take notice of such a general scan. Does that help? --p -----Original Message----- From: Bill Stewart [mailto:nonobvious@gmail.com] Sent: Monday, May 14, 2012 7:53 PM To: NANOG list Subject: Protocols for Testing Intrusion Detection? I'm looking for recommended protocols to use for testing intrusion detection and maybe also firewall logging. Basically I need some kind of protocol that it's ok to discard traffic for in a production network, so I can be sure that the various systems that should be detecting it and generating alarms are up and running. Is there already a standard I should be using? (This doesn't seem to quite match RFC2544.) I'm thinking about things like - TCP and UDP echo protocol - is this sufficiently deprecated that it won't be missed, or are there applications still using it? - Higher-numbered TCP protocol, such as 31337, which appears to have no official current use, and unofficially is for Back Orifice. - http:80 from a well-known test address, such as evil.example.com (probably need both RFC1918 and public IP addresses, so it's somewhat site-dependent. Should I be using 192.0.2.0/24 or 198.18.0.0/15 as long as I'm careful not to leak them out to the real internet?) - Is there any application that can actually set the RFC3514 Evil Bit? -- ---- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
On May 14, 2012, at 7:52 PM, Bill Stewart wrote:
- Is there any application that can actually set the RFC3514 Evil Bit?
Code was added to FreeBSD to set it (though I think the commit was later reverted); see the change logs at https://www.cs.columbia.edu/~smb/3514.html --Steve Bellovin, https://www.cs.columbia.edu/~smb
participants (4)
-
Bill Stewart -
Darden, Patrick S. -
Steven Bellovin -
valdis.kletnieks@vt.edu