[152751] in North American Network Operators' Group
RE: Protocols for Testing Intrusion Detection?
daemon@ATHENA.MIT.EDU (Darden, Patrick S.)
Tue May 15 07:28:56 2012
Date: Tue, 15 May 2012 07:27:38 -0400
In-Reply-To: <CAD45i01reSDHH=fvm=EPHhuHDdynkJ9u2K8rLTYvC5_dJx048w@mail.gmail.com>
From: "Darden, Patrick S." <darden@armc.org>
To: "Bill Stewart" <nonobvious@gmail.com>,
"NANOG list" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
nmap has some modes that are useful for this:
nmap -sX network #christmas treepackets are sent, nastygram, kamikaze, =
should light up any IPS
nmap -sS network #stealth syn scan, should light up any good IPS
nmap -O network #OS scan, should light up any sensitive IPS
nmap -o network #udp scan, should light up any very sensitive IPS
nmap network #ping + easy check for open ports from 1--1023, should =
only light up an overly sensitive IPS
Lots more modes, and lots more scales of sensitivity. All of these are =
subjective. DMZs, VMZs, inner networks, and private networks would all =
have different scales of sensitivity. E.g. in my private network if I =
detected an "nmap network" then I would investigate. In my DMZ I =
probably wouldn't take notice of such a general scan.
Does that help?
--p
-----Original Message-----
From: Bill Stewart [mailto:nonobvious@gmail.com]
Sent: Monday, May 14, 2012 7:53 PM
To: NANOG list
Subject: Protocols for Testing Intrusion Detection?
I'm looking for recommended protocols to use for testing intrusion
detection and maybe also firewall logging.
Basically I need some kind of protocol that it's ok to discard traffic
for in a production network, so I can be sure that the various systems
that should be detecting it and generating alarms are up and running.
Is there already a standard I should be using? (This doesn't seem to
quite match RFC2544.) I'm thinking about things like
- TCP and UDP echo protocol - is this sufficiently deprecated that it
won't be missed, or are there applications still using it?
- Higher-numbered TCP protocol, such as 31337, which appears to have
no official current use, and unofficially is for Back Orifice.
- http:80 from a well-known test address, such as evil.example.com
(probably need both RFC1918 and public IP addresses, so it's somewhat
site-dependent. Should I be using 192.0.2.0/24 or 198.18.0.0/15 as
long as I'm careful not to leak them out to the real internet?)
- Is there any application that can actually set the RFC3514 Evil Bit?
--=20
----
=A0 =A0 =A0 =A0 =A0 =A0=A0 Thanks;=A0 =A0=A0 Bill
Note that this isn't my regular email account - It's still experimental =
so far.
And Google probably logs and indexes everything you send it.
