Ask the Expert

Testing an intrusion-detection system

I'm trying to test our HIDS implementation and want to see intrusion detection system (IDS) responses to a server compromise and a rootkit install. Is there somewhere I can download one of the latest rootkits such as t0rn, tuxkit, etc. so I can install it on a lab server for testing purposes? I also want to test chkrootkit scripts to verify effectiveness.


    Requires Free Membership to View

Testing any IDS is always difficult. I would use products such as ISS Scanner or Nessus. Nessus is freeware and does a fine job or better than ISS. There are also many other tools located at Altavista and malicious sites that can do the same, but most don't have all the tools that Nessus provides.

Depending on the HIDS product and your settings, you can do both manual attempts on the device as well as Nessus. You can also do simple things using tools like SamSpade, Ping, netuse, netcat, netbus and many others. IF you are good at perl scripting, you could create many scripts that attempt logins or guess passwords.

To prove your point, you may need NIDS to record your attempts or a sniffer if the packets slip by the NIDS, which in the case most will.

For more information on this topic, visit these other resources:
Tech Tip: Low-cost security tool
Best Web Links: Intrusion detection
Webcast Archive: Intrusion detection


This was first published in September 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: