Intrusion detection and prevention test
This post demonstrate an example on how to do IPS factory acceptance test.
Test plan parameters example
Serial Number: abcdefg
Purpose: This test is to test the ability for IPS to block malicious when a signature is matched.
Procedure: On the attacker PC launch metasploit. Launch an attack to the victim. Launch Event viewer to view IPS events.
1. Cisco IPS block the attack Pass/Fail
2. IPS events are shown in event viewer Pass/Fail
3. Metasploit attack has timeout Pass/Fail
You modify your procedure and expected results according to which tool you use. The below will demonstrate the attacks and the expected results by Cisco IPS.
This section demonstrates exploit and payload use for testing without IPS.
Metasploit attacks dropped by Cisco IPS4360
Denial of service attack with hping3
From the attacker’s machine launch hping3 flood.
hping3 --udp --flood 192.168.56.102
open new tab and launch the below command:
hping3 -S --flood 192.168.56.102
Open as many tab as you want to launch multiple of flooding attacks, you should also turn on your Windows XP task manager to monitor the resource usage.
When Cisco IPS blocks this type of attack, it will fire up the alert and block the attack, your Windows XP will not have constant CPU resource between 88% and 90%, it would be normal like between 0% and 9%.
Cisco IPS denial of service event