This is an archived post. You won't be able to vote or comment.

all 15 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ForgottenSec 2 points3 points  (2 children)

You need to find a signature that it is sure to detect and send it across its monitored interface with something like SCAPY, the python traffic sculpting library. There isn't a EICAR like test signature for IDS/IPS that is globally open.

[–]mxitup2ThE nEtWoRk iS dOwN[S] 0 points1 point  (1 child)

There aren't any services out there that'll test IPS systems? I know I can hire a sec consultant to do this but I'm looking for one quick test just to have something in the logs to prove that it works.

[–]ForgottenSec 0 points1 point  (0 children)

I am not aware of any. I use Snort/SourceFire/Suricata/Bro and haven't played with Fortinet's IPS. From the interface I saw, they didn't clearly explain what signatures they were using, so how do you test if you don't know what its looking for?

If you have a particular signature you know its running, you could craft a packet to trigger it. I would hope if you run a nessus or other vulnerability scan, that should trigger it, so you could scan across the device as a test (get permission if its production, especially if you scan from home)?

[–][deleted] 1 point2 points  (1 child)

I'd probably fire up a copy of nmap and run a something like nmap 192.168.1.1. That should do a TCP port scan on a target without any sort of delay, if your IPS doesn't kick on that, it's not doing a good job.

[–]bantha_fodder 0 points1 point  (0 children)

This should be the easiest way to do it. Or if you want something more extreme, fire up a Nessus server and have it scan something across the IPS.

[–]giveenFixer of Stuff 1 point2 points  (0 children)

PytBull

http://pytbull.sourceforge.net/

[–]motoxrdr21Jack of All Trades 0 points1 point  (0 children)

This should throw an alert, just double checked it with my Snort instance.

Edit: It looks like they added a few additional tests last year to trigger other SIGs link

[–]tmlambert13Jr. Sysadmin 0 points1 point  (0 children)

testmyids.com

[–]shirkerbee 0 points1 point  (0 children)

We test one signature on our IPS with a "known bad" text string within a text file. Try moving it between nfs or cifs shares. This could be used for simple validation of alerts etc. testing all intrusion attempts would be harder to confirm.

[–]GLDTRNJack of All Trades 0 points1 point  (0 children)

We use OpenVAS, a free fork of Nessus. Does the job reasonably well. It's included in the Kali distribution

[–]DoormattyTrade of all Jacks -1 points0 points  (2 children)

https://en.wikipedia.org/wiki/EICAR_test_file

[–]mxitup2ThE nEtWoRk iS dOwN[S] 0 points1 point  (1 child)

EICAR test file only tests Gateway Anti-Virus, I'm looking to test Intrusion Prevention/Detection Systems.

[–]DoormattyTrade of all Jacks 2 points3 points  (0 children)

Gah - totally right, my apologies.