IDS/IPS program

pma111
pma111 used Ask the Experts™
on
I am looking for some basic audit checklists (and/or tools) for an audit review of IDS/IPS systems. Not for building one, just for checking the configuration and operation of one in place. I cant find much online. Can anyone help and point me in the direction of some?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
Snort is open source and good
http://www.snort.org/

Author

Commented:
Thanks Raxix, what will SNORT check for on the IDS/IPS.

Author

Commented:
I wasnt really after an IDS solution itself. I dont think just due to the fact that an IDS is in place - thats good enough, no audit review neccesary. I was more after a security checklist that would be typically used to check controls and operation of an exisitng IDS.
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2014
Commented:
That is a tough one, because and IDS/IPS is configured to allow/block/trigger alarms based on your requirements, which may be different from my requriments.

You would need to know what you want and then setup a custom scanner/pen test to make sure you get the results you expect.

I would start by looking at port scanners (such as NMAP) and penatration testing software.

Just searching on penetration testing IDS I found:

http://www.metasploit.com/
http://www.penetrationtests.com/Tools-Software/IDS-IPS-Solutions/ 

Author

Commented:
Thanks.

Port scan will show the open ports but I wasnt sure how that would help with an IDS review. Or are you coming from the angle to see if the IDS starts flashing red just by performing a port scan from the outside? I appreciate the comment you make around requirements but I would imagine theres some documentation on minimum requirements for a typical network, and then additional requirements based on certain individual corporate policies? Perhaps I am wrong though.
Top Expert 2014

Commented:
If you have rules setup to start flashing red on port scans, then the first test is port scanning.  To go beyond that you need pen/vulnerability testing software.

Metasploit is a open source project for pen testing.  I have never used it, I never knew it existed until I did a search today.

I know there are other pen/vulnerability testing tools out there.  I don't know how many are free or inexpensive.  I know some can cost a lot of money.

The Metasploit project is managed by Rapid7, which has a commercial product, Nexpose, just for pen/vulnerability testing.

Author

Commented:
I'm aware of metasploit but as far as I know all it does is give you the actual exploit for an upatched vulnerability. Its a fancy way of demonstrating the main issue if you dont patch your systems in a timely manner. All Nessus actually seems to do from what I have seen is flag up missing patches and a few default passwords.
Top Expert 2014

Commented:
I'm not sure what you expect from a product/tool.  Products can only scan/test for known issues/vulnerabilities and tell you if it found it.

The idea is you run these scans with your IDS/IPS in place.  Then look at the tool's log and your IDS/IPS log to see the results.

The basic results would be:

    IDS/IPS saw the vulnerability and took the action you wanted ( which could be to do nothing).
    The tool found a vulnerability that your IDS/IPS was not configured to watch for.

Nessus has  plug-ins to test for things way beyond user-id passwords.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial